From c0492570195216f1408b38598a34796882e009f1 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Olivier=20Larchev=C3=AAque?= Date: Fri, 13 May 2011 16:08:34 -0400 Subject: [PATCH] fix #1449, limitation des recherches par personne connectee, securite renforcee pour acces API --- project/dae/catalogues.py | 5 +---- project/dae/decorators.py | 36 +++++++++++++++++++++++++++++++++++- project/dae/views.py | 3 ++- 3 files changed, 38 insertions(+), 6 deletions(-) diff --git a/project/dae/catalogues.py b/project/dae/catalogues.py index 2a88370..4aa32d8 100644 --- a/project/dae/catalogues.py +++ b/project/dae/catalogues.py @@ -40,8 +40,6 @@ class Dossier(object): employe = get_employe_from_user(request.user) prefixe_implantation = 'poste1__implantation' - print employe.implantation - print employe.implantation.region q_recherche = Q(complement1__icontains=q) | \ Q(poste1__type_poste__nom__icontains=q) | \ @@ -57,8 +55,7 @@ class Dossier(object): if grp_drh in request.user.groups.all(): q_filtre = q_recherche else: - q_filtre = q_place & q_place - + q_filtre = q_place & q_recherche return rh.Dossier.objects.filter(q_filtre).distinct() def format_result(self, dossier): diff --git a/project/dae/decorators.py b/project/dae/decorators.py index 443384e..6a14f2c 100644 --- a/project/dae/decorators.py +++ b/project/dae/decorators.py @@ -1,12 +1,14 @@ # -*- encoding: utf-8 -*- +from django.db.models import Q from django.contrib import messages from django.contrib.auth.decorators import user_passes_test from django.core.urlresolvers import reverse from django.http import HttpResponseRedirect -from workflow import dae_groupes, ETATS_EDITABLE +from workflow import dae_groupes, ETATS_EDITABLE, grp_drh from project.dae import models as dae from project.rh_v1 import models as rh +from utils import get_employe_from_user, is_user_dans_service def user_in_dae_groupes(user): """ @@ -106,6 +108,38 @@ def dossier_dans_ma_region_ou_service(fn): return poste_dans_ma_region_ou_service(fn)(request, *args, **kwargs) return inner +def vieux_dossier_dans_ma_region_ou_service(fn): + """ + Test si le user connecté appartient bien à la même région ou service que le poste. + """ + def inner(request, *args, **kwargs): + user = request.user + dossier_id = kwargs.get('dossier_id', None) + + employe = get_employe_from_user(request.user) + prefixe_implantation = 'poste1__implantation' + + if is_user_dans_service(request.user): + q_place = Q(**{ '%s' % prefixe_implantation : employe.implantation }) + else: + q_place = Q(**{ '%s__region' % prefixe_implantation : employe.implantation.region }) + + + if grp_drh in request.user.groups.all(): + q_filtre = Q(id=dossier_id) + else: + q_filtre = q_place & Q(id=dossier_id) + + try: + dossier = rh.Dossier.objects.get(q_filtre) + return fn(request, *args, **kwargs) + except Exception, e: + msg = u"Vous n'avez pas le droit de consulter ce dossier d'embauche." + return redirect_interdiction(request, msg) + + + return inner + def employe_dans_ma_region_ou_service(fn): """ Test d'accès à un employé diff --git a/project/dae/views.py b/project/dae/views.py index 33e3bbb..64cecd7 100644 --- a/project/dae/views.py +++ b/project/dae/views.py @@ -24,6 +24,7 @@ from project.rh_v1 import models as rh from decorators import dae_groupe_requis, \ poste_dans_ma_region_ou_service, \ dossier_dans_ma_region_ou_service, \ + vieux_dossier_dans_ma_region_ou_service, \ employe_dans_ma_region_ou_service, \ dossier_est_modifiable, \ poste_est_modifiable @@ -490,7 +491,7 @@ def pre_filled_dossier(dossier_rh, employe_source, poste_rh): return dossier @dae_groupe_requis -@dossier_dans_ma_region_ou_service +@vieux_dossier_dans_ma_region_ou_service def dossier_resume(request, dossier_id=None): """ Appel AJAX : input : valeur_point -- 1.7.10.4