From 83088026f89732dc64683fc14f98fb9fa38c009b Mon Sep 17 00:00:00 2001
From: =?utf8?q?Olivier=20Larchev=C3=AAque?= <olivier.larcheveque@auf.org>
Date: Tue, 10 May 2011 09:37:14 -0400
Subject: [PATCH 1/1] securisation de toutes les vues

---
 project/dae/decorators.py |   17 +++++
 project/dae/views.py      |  156 +++++++++++++++++++++++++--------------------
 2 files changed, 103 insertions(+), 70 deletions(-)

diff --git a/project/dae/decorators.py b/project/dae/decorators.py
index 665902e..a927fef 100644
--- a/project/dae/decorators.py
+++ b/project/dae/decorators.py
@@ -105,3 +105,20 @@ def dossier_dans_ma_region_ou_service(fn):
         else:
             return poste_dans_ma_region_ou_service(fn)(request, *args, **kwargs)
     return inner
+
+def employe_dans_ma_region_ou_service(fn):
+    """
+    Test d'accÃ¨s Ã  un employÃ©
+    """
+    def inner(request, *args, **kwargs):
+        from project.dae.forms import _employe_choices
+        liste_employes = _employe_choices(None, request)
+        autorises = [k for k, nom in liste_employes]
+        employe_key = kwargs.get('employe_key')
+        if employe_key in autorises:
+            return fn(request, *args, **kwargs)
+        else :
+            msg = u"Vous n'avez pas le droit de consulter cet employÃ©."
+            return redirect_interdiction(request, msg)
+        
+    return inner
diff --git a/project/dae/views.py b/project/dae/views.py
index 16dbb28..b534850 100644
--- a/project/dae/views.py
+++ b/project/dae/views.py
@@ -17,7 +17,10 @@ from reversion.models import Version
 from project.dae import models as dae
 from project.rh_v1 import models as rh
 
-from decorators import dae_groupe_requis, poste_dans_ma_region_ou_service, dossier_dans_ma_region_ou_service
+from decorators import dae_groupe_requis, \
+                       poste_dans_ma_region_ou_service, \
+                       dossier_dans_ma_region_ou_service, \
+                       employe_dans_ma_region_ou_service
 from forms import *
 
 @dae_groupe_requis
@@ -300,6 +303,11 @@ def employe(request, key):
 
     return HttpResponse(EmployeForm(initial=data, instance=employe, request=request).as_table())
 
+################################################################################
+# AJAX SECURISE
+################################################################################
+@dae_groupe_requis
+@employe_dans_ma_region_ou_service
 def dossier(request, poste_key, employe_key):
     """ RÃ©cupÃ©ration AJAX du dossier pour la page d'embauche. """
     data = dict()
@@ -366,27 +374,7 @@ def dossier(request, poste_key, employe_key):
     return render_to_response('dae/embauche-dossier.html', vars,
                           RequestContext(request))
 
-def salaire(request, implantation, devise, classement):
-    if not devise or not classement:
-        raise Http404
-
-    taux_impl = rh.TauxChange.objects.filter(implantation=implantation) \
-                                     .order_by('-annee')
-    taux = rh.TauxChange.objects.filter(devise=devise).order_by('-annee')
-    vp = rh.ValeurPoint.objects.filter(implantation=implantation) \
-                               .order_by('-annee')
-    if vp.count() * taux.count() * taux_impl.count() == 0:
-        raise Http404
-
-    classement = get_object_or_404(rh.Classement, pk=classement)
-    taux, taux_impl, vp = taux[0].taux, taux_impl[0].taux, vp[0].valeur
-
-    salaire_euro = round(vp * classement.coefficient * taux_impl, 2)
-    data = dict(salaire_euro=salaire_euro, taux=taux,
-                salaire_devise=round(salaire_euro / taux, 2))
-
-    return HttpResponse(dumps(data))
-
+#  @Cette fonction est appelÃ©e Ã  partir de fonctions dÃ©jÃ  sÃ©curisÃ©e
 def pre_filled_dossier(dossier_rh, employe_source, poste_rh):
     dossier = dae.Dossier()
 
@@ -428,39 +416,30 @@ def pre_filled_dossier(dossier_rh, employe_source, poste_rh):
 
     return dossier
 
-def coefficient(request):
+@dae_groupe_requis
+@dossier_dans_ma_region_ou_service
+def dossier_resume(request, dossier_id=None):
     """ Appel AJAX : 
-    input : classement
-    output : coefficient
+    input : valeur_point
+    output : devise, devise_code, taux_euro
     """
-    method = request.method
-    params = getattr(request, method, [])
-    data = dict()
-    if 'classement' in params and params.get('classement') is not u"":
-        classement = params.get('classement')
-        classement = rh.Classement.objects.get(pk=classement)
-        data['coefficient'] = classement.coefficient
-    else:
-        data['coefficient'] = 0
-    return HttpResponse(dumps(data))
-
+    try:
+        dossier = rh.Dossier.objects.get(id=dossier_id)
+    except:
+        return HttpResponseGone("Ce dossier n'est pas accessible")
 
-def liste_valeurs_point(request):
-    """ Appel AJAX : 
-    input : implantation_id
-    output : JSON liste de valeur point
-    """
-    method = request.method
-    params = getattr(request, method, [])
-    data = []
-    annee_courante = datetime.datetime.now().year
-    if 'implantation_id' in params and params.get('implantation_id') is not u"":
-        implantation_id = params.get('implantation_id')
-        objects = rh.ValeurPoint.objects.filter(implantation=implantation_id, annee__in=(annee_courante-1, annee_courante)).order_by("-annee")
+    data = {}
+    data['personne'] = unicode(dossier.employe)
+    data['implantation'] = dossier.implantation1.id
+    data['poste'] = u"%s %s" % (dossier.poste1.type_poste.nom, dossier.complement1)
+    data['montant'] = dossier.get_salaire()
+    salaire = dossier.get_dernier_salaire_remun()
+    if salaire is not None:
+        data['devise'] = dossier.get_dernier_salaire_remun().devise.id
+        data['montant_euros'] = dossier.get_dernier_salaire_remun().en_euros()
     else:
-        objects = rh.ValeurPoint.objects.filter(annee__in=(annee_courante-1, annee_courante)).order_by("-annee")
-    for o in objects:
-        data.append({'id' : o.id, 'label' : o.__unicode__(), })
+        data['devise'] = None
+        data['montant_euros'] = 0
     return HttpResponse(dumps(data))
 
 def liste_postes(request):
@@ -490,6 +469,27 @@ def liste_postes(request):
     data = [('', 'Nouveau poste')] +  sorted([('dae-%s' % p.id, label_poste_display(p)) for p in dae_ | copies] + [('rh-%s' % p.id, label_poste_display(p)) for p in rhv1], key=lambda t: t[1])
     return HttpResponse(dumps(data))
 
+
+################################################################################
+# AJAX SECURITE non nÃ©cessaire
+################################################################################
+def coefficient(request):
+    """ Appel AJAX : 
+    input : classement
+    output : coefficient
+    """
+    method = request.method
+    params = getattr(request, method, [])
+    data = dict()
+    if 'classement' in params and params.get('classement') is not u"":
+        classement = params.get('classement')
+        classement = rh.Classement.objects.get(pk=classement)
+        data['coefficient'] = classement.coefficient
+    else:
+        data['coefficient'] = 0
+    return HttpResponse(dumps(data))
+
+
 def devise(request):
     """ Appel AJAX : 
     input : valeur_point
@@ -541,26 +541,42 @@ def add_remun(request, dossier, type_remun):
     return render_to_response('dae/embauche-remun.html', dict(dossier=dossier),
                               RequestContext(request))
 
-def dossier_resume(request, dossier_id=None):
+def salaire(request, implantation, devise, classement):
+    if not devise or not classement:
+        raise Http404
+
+    taux_impl = rh.TauxChange.objects.filter(implantation=implantation) \
+                                     .order_by('-annee')
+    taux = rh.TauxChange.objects.filter(devise=devise).order_by('-annee')
+    vp = rh.ValeurPoint.objects.filter(implantation=implantation) \
+                               .order_by('-annee')
+    if vp.count() * taux.count() * taux_impl.count() == 0:
+        raise Http404
+
+    classement = get_object_or_404(rh.Classement, pk=classement)
+    taux, taux_impl, vp = taux[0].taux, taux_impl[0].taux, vp[0].valeur
+
+    salaire_euro = round(vp * classement.coefficient * taux_impl, 2)
+    data = dict(salaire_euro=salaire_euro, taux=taux,
+                salaire_devise=round(salaire_euro / taux, 2))
+
+    return HttpResponse(dumps(data))
+
+def liste_valeurs_point(request):
     """ Appel AJAX : 
-    input : valeur_point
-    output : devise, devise_code, taux_euro
+    input : implantation_id
+    output : JSON liste de valeur point
     """
-    try:
-        dossier = rh.Dossier.objects.get(id=dossier_id)
-    except:
-        return HttpResponseGone("Ce dossier n'est pas accessible")
-
-    data = {}
-    data['personne'] = unicode(dossier.employe)
-    data['implantation'] = dossier.implantation1.id
-    data['poste'] = u"%s %s" % (dossier.poste1.type_poste.nom, dossier.complement1)
-    data['montant'] = dossier.get_salaire()
-    salaire = dossier.get_dernier_salaire_remun()
-    if salaire is not None:
-        data['devise'] = dossier.get_dernier_salaire_remun().devise.id
-        data['montant_euros'] = dossier.get_dernier_salaire_remun().en_euros()
+    method = request.method
+    params = getattr(request, method, [])
+    data = []
+    annee_courante = datetime.datetime.now().year
+    if 'implantation_id' in params and params.get('implantation_id') is not u"":
+        implantation_id = params.get('implantation_id')
+        objects = rh.ValeurPoint.objects.filter(implantation=implantation_id, annee__in=(annee_courante-1, annee_courante)).order_by("-annee")
     else:
-        data['devise'] = None
-        data['montant_euros'] = 0
+        objects = rh.ValeurPoint.objects.filter(annee__in=(annee_courante-1, annee_courante)).order_by("-annee")
+    for o in objects:
+        data.append({'id' : o.id, 'label' : o.__unicode__(), })
     return HttpResponse(dumps(data))
+
-- 
1.7.10.4