From 5fe6986f6aad5187a652545ac93f37b9f1f307ee Mon Sep 17 00:00:00 2001 From: =?utf8?q?Olivier=20Larchev=C3=AAque?= Date: Tue, 20 Mar 2012 11:38:53 -0400 Subject: [PATCH] protect against usurpation --- project/recrutement/admin.py | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/project/recrutement/admin.py b/project/recrutement/admin.py index 79c7c75..6b346c2 100644 --- a/project/recrutement/admin.py +++ b/project/recrutement/admin.py @@ -496,8 +496,13 @@ class CandidatEvaluationAdmin(admin.ModelAdmin): }), ) - ### Actions à afficher def get_actions(self, request): + # on stocke l'evaluateur connecté (pas forcément la meilleure place...) + try: + self.evaluateur = Evaluateur.objects.get(user=request.user) + except: + self.evaluateur = None + actions = super(CandidatEvaluationAdmin, self).get_actions(request) del actions['delete_selected'] return actions @@ -511,9 +516,16 @@ class CandidatEvaluationAdmin(admin.ModelAdmin): """ page = self.model.__name__.lower() redirect_url = 'admin:recrutement_%s_change' % page + if obj.note is None: - return "Candidat non évalué" % (reverse(redirect_url, args=(obj.id,))) - return "%s" % (reverse(redirect_url, args=(obj.id,)), obj.note) + label = "Candidat non évalué" + else: + label = obj.note + + if self.evaluateur == obj.evaluateur: + return "%s" % (reverse(redirect_url, args=(obj.id,)), label) + else: + return label _note.allow_tags = True _note.short_description = "Note" _note.admin_order_field = 'note' @@ -625,7 +637,7 @@ class MesCandidatEvaluationAdmin(CandidatEvaluationAdmin): except: is_evaluateur = False - if obj is None or is_evaluateur: + if obj is None and is_evaluateur: return True try: -- 1.7.10.4