add permissions RH
authorOlivier Larchevêque <olivier.larcheveque@auf.org>
Mon, 9 Jan 2012 18:52:38 +0000 (13:52 -0500)
committerOlivier Larchevêque <olivier.larcheveque@auf.org>
Mon, 9 Jan 2012 18:52:38 +0000 (13:52 -0500)
project/rh/lib.py
project/rh/views.py

index e915ed8..e073356 100644 (file)
@@ -30,16 +30,23 @@ class LinkedInline(admin.options.InlineModelAdmin):
 class ProtectRegionMixin(object):
 
     def queryset(self, request):
+        from dae.workflow import grp_drh, grp_correspondants_rh
         qs = super(ProtectRegionMixin, self).queryset(request)
 
         if request.user.is_superuser:
             return qs
 
-        employe = get_employe_from_user(request.user)
+        user_groups = request.user.groups.all()
 
-        q = Q(**{self.model.prefix_implantation: employe.implantation.region})
-        qs = qs.filter(q).distinct()
-        return qs
+        if grp_drh in user_groups:
+            return qs
+
+        if grp_correspondants_rh in user_groups:
+            employe = get_employe_from_user(request.user)
+            q = Q(**{self.model.prefix_implantation: employe.implantation.region})
+            qs = qs.filter(q).distinct()
+            return qs
+        return qs.none()
 
     def has_change_permission(self, request, obj=None):
         if request.user.is_superuser:
@@ -280,9 +287,6 @@ class DossierAdmin(AUFMetadataAdminMixin, ProtectRegionMixin, admin.ModelAdmin,)
         }),
     )
 
-    def queryset(self, request):
-        return self.model.actifs.all()
-
     class Media:
         js = ('js/dossier.js',)
 
index bd714ed..e6a2354 100644 (file)
@@ -194,6 +194,30 @@ def rapports_remuneration(request):
 
     return render_to_response('rh/rapports/remuneration.html', c, RequestContext(request))
 
+def region_protected(model):
+    def wrapper(func):
+        def wrapped(request, id):
+            from django.db.models import Q
+            from dae.utils import get_employe_from_user
+            from dae.decorators import redirect_interdiction
+            from dae.workflow import grp_drh, grp_correspondants_rh
+            if request.user.is_superuser:
+                return func(request, id)
+            user_groups = request.user.groups.all()
+            if grp_drh in user_groups:
+                return func(request, id)
+            if grp_correspondants_rh in user_groups:
+                employe = get_employe_from_user(request.user)
+                q = Q(**{model.prefix_implantation: employe.implantation.region})
+                qs = model.objects.filter(q)
+                if id in [o.id for o in qs]:
+                    return func(request, id)
+            return redirect_interdiction(request)
+        return wrapped
+    return wrapper
+
+
+@region_protected(rh.Dossier)
 def dossier_apercu(request, dossier_id):
     c = {
         'is_popup' : request.GET.get('_popup', False),
@@ -202,6 +226,7 @@ def dossier_apercu(request, dossier_id):
     }
     return render_to_response('admin/rh/dossier/apercu.html', c, RequestContext(request))
 
+@region_protected(rh.Employe)
 def employe_apercu(request, employe_id):
     employe = get_object_or_404(rh.Employe, pk=employe_id)
     try:
@@ -216,6 +241,8 @@ def employe_apercu(request, employe_id):
     }
     return render_to_response('admin/rh/employe/apercu.html', c, RequestContext(request))
 
+
+@region_protected(rh.Poste)
 def poste_apercu(request, poste_id):
     c = {
         'is_popup' : request.GET.get('_popup', False),