mirror of
https://github.com/django-helpdesk/django-helpdesk.git
synced 2024-12-14 19:00:44 +01:00
protecting through 403 several staff views
This commit is contained in:
parent
1ea70ad1be
commit
01598826bf
@ -21,11 +21,11 @@ except ImportError:
|
|||||||
from django.contrib.auth.decorators import login_required, user_passes_test
|
from django.contrib.auth.decorators import login_required, user_passes_test
|
||||||
from django.core.files.base import ContentFile
|
from django.core.files.base import ContentFile
|
||||||
from django.core.urlresolvers import reverse
|
from django.core.urlresolvers import reverse
|
||||||
from django.core.exceptions import ValidationError
|
from django.core.exceptions import ValidationError, PermissionDenied
|
||||||
from django.core import paginator
|
from django.core import paginator
|
||||||
from django.db import connection
|
from django.db import connection
|
||||||
from django.db.models import Q
|
from django.db.models import Q
|
||||||
from django.http import HttpResponseRedirect, Http404, HttpResponse, HttpResponseForbidden
|
from django.http import HttpResponseRedirect, Http404, HttpResponse
|
||||||
from django.shortcuts import render_to_response, get_object_or_404
|
from django.shortcuts import render_to_response, get_object_or_404
|
||||||
from django.template import loader, Context, RequestContext
|
from django.template import loader, Context, RequestContext
|
||||||
from django.utils.dates import MONTHS_3
|
from django.utils.dates import MONTHS_3
|
||||||
@ -164,6 +164,8 @@ dashboard = staff_member_required(dashboard)
|
|||||||
|
|
||||||
def delete_ticket(request, ticket_id):
|
def delete_ticket(request, ticket_id):
|
||||||
ticket = get_object_or_404(Ticket, id=ticket_id)
|
ticket = get_object_or_404(Ticket, id=ticket_id)
|
||||||
|
if not _has_access_to_queue(request.user, ticket.queue):
|
||||||
|
raise PermissionDenied()
|
||||||
|
|
||||||
if request.method == 'GET':
|
if request.method == 'GET':
|
||||||
return render_to_response('helpdesk/delete_ticket.html',
|
return render_to_response('helpdesk/delete_ticket.html',
|
||||||
@ -179,6 +181,8 @@ def followup_edit(request, ticket_id, followup_id):
|
|||||||
"Edit followup options with an ability to change the ticket."
|
"Edit followup options with an ability to change the ticket."
|
||||||
followup = get_object_or_404(FollowUp, id=followup_id)
|
followup = get_object_or_404(FollowUp, id=followup_id)
|
||||||
ticket = get_object_or_404(Ticket, id=ticket_id)
|
ticket = get_object_or_404(Ticket, id=ticket_id)
|
||||||
|
if not _has_access_to_queue(request.user, ticket.queue):
|
||||||
|
raise PermissionDenied()
|
||||||
if request.method == 'GET':
|
if request.method == 'GET':
|
||||||
form = EditFollowUpForm(initial=
|
form = EditFollowUpForm(initial=
|
||||||
{'title': escape(followup.title),
|
{'title': escape(followup.title),
|
||||||
@ -237,6 +241,8 @@ followup_delete = staff_member_required(followup_delete)
|
|||||||
|
|
||||||
def view_ticket(request, ticket_id):
|
def view_ticket(request, ticket_id):
|
||||||
ticket = get_object_or_404(Ticket, id=ticket_id)
|
ticket = get_object_or_404(Ticket, id=ticket_id)
|
||||||
|
if not _has_access_to_queue(request.user, ticket.queue):
|
||||||
|
raise PermissionDenied()
|
||||||
|
|
||||||
if 'take' in request.GET:
|
if 'take' in request.GET:
|
||||||
# Allow the user to assign the ticket to themselves whilst viewing it.
|
# Allow the user to assign the ticket to themselves whilst viewing it.
|
||||||
@ -623,6 +629,9 @@ def mass_update(request):
|
|||||||
action = 'assign'
|
action = 'assign'
|
||||||
|
|
||||||
for t in Ticket.objects.filter(id__in=tickets):
|
for t in Ticket.objects.filter(id__in=tickets):
|
||||||
|
if not _has_access_to_queue(request.user, t.queue):
|
||||||
|
continue
|
||||||
|
|
||||||
if action == 'assign' and t.assigned_to != user:
|
if action == 'assign' and t.assigned_to != user:
|
||||||
t.assigned_to = user
|
t.assigned_to = user
|
||||||
t.save()
|
t.save()
|
||||||
@ -901,7 +910,7 @@ ticket_list = staff_member_required(ticket_list)
|
|||||||
def edit_ticket(request, ticket_id):
|
def edit_ticket(request, ticket_id):
|
||||||
ticket = get_object_or_404(Ticket, id=ticket_id)
|
ticket = get_object_or_404(Ticket, id=ticket_id)
|
||||||
if not _has_access_to_queue(request.user, ticket.queue):
|
if not _has_access_to_queue(request.user, ticket.queue):
|
||||||
return HttpResponseRedirect(reverse('helpdesk_dashboard'))
|
raise PermissionDenied()
|
||||||
|
|
||||||
if request.method == 'POST':
|
if request.method == 'POST':
|
||||||
form = EditTicketForm(request.POST, instance=ticket)
|
form = EditTicketForm(request.POST, instance=ticket)
|
||||||
@ -974,6 +983,8 @@ raw_details = staff_member_required(raw_details)
|
|||||||
|
|
||||||
def hold_ticket(request, ticket_id, unhold=False):
|
def hold_ticket(request, ticket_id, unhold=False):
|
||||||
ticket = get_object_or_404(Ticket, id=ticket_id)
|
ticket = get_object_or_404(Ticket, id=ticket_id)
|
||||||
|
if not _has_access_to_queue(request.user, ticket.queue):
|
||||||
|
raise PermissionDenied()
|
||||||
|
|
||||||
if unhold:
|
if unhold:
|
||||||
ticket.on_hold = False
|
ticket.on_hold = False
|
||||||
@ -1282,6 +1293,9 @@ email_ignore_del = superuser_required(email_ignore_del)
|
|||||||
|
|
||||||
def ticket_cc(request, ticket_id):
|
def ticket_cc(request, ticket_id):
|
||||||
ticket = get_object_or_404(Ticket, id=ticket_id)
|
ticket = get_object_or_404(Ticket, id=ticket_id)
|
||||||
|
if not _has_access_to_queue(request.user, ticket.queue):
|
||||||
|
raise PermissionDenied()
|
||||||
|
|
||||||
copies_to = ticket.ticketcc_set.all()
|
copies_to = ticket.ticketcc_set.all()
|
||||||
return render_to_response('helpdesk/ticket_cc_list.html',
|
return render_to_response('helpdesk/ticket_cc_list.html',
|
||||||
RequestContext(request, {
|
RequestContext(request, {
|
||||||
@ -1292,6 +1306,9 @@ ticket_cc = staff_member_required(ticket_cc)
|
|||||||
|
|
||||||
def ticket_cc_add(request, ticket_id):
|
def ticket_cc_add(request, ticket_id):
|
||||||
ticket = get_object_or_404(Ticket, id=ticket_id)
|
ticket = get_object_or_404(Ticket, id=ticket_id)
|
||||||
|
if not _has_access_to_queue(request.user, ticket.queue):
|
||||||
|
raise PermissionDenied()
|
||||||
|
|
||||||
if request.method == 'POST':
|
if request.method == 'POST':
|
||||||
form = TicketCCForm(request.POST)
|
form = TicketCCForm(request.POST)
|
||||||
if form.is_valid():
|
if form.is_valid():
|
||||||
@ -1310,6 +1327,7 @@ ticket_cc_add = staff_member_required(ticket_cc_add)
|
|||||||
|
|
||||||
def ticket_cc_del(request, ticket_id, cc_id):
|
def ticket_cc_del(request, ticket_id, cc_id):
|
||||||
cc = get_object_or_404(TicketCC, ticket__id=ticket_id, id=cc_id)
|
cc = get_object_or_404(TicketCC, ticket__id=ticket_id, id=cc_id)
|
||||||
|
|
||||||
if request.method == 'POST':
|
if request.method == 'POST':
|
||||||
cc.delete()
|
cc.delete()
|
||||||
return HttpResponseRedirect(reverse('helpdesk_ticket_cc', kwargs={'ticket_id': cc.ticket.id}))
|
return HttpResponseRedirect(reverse('helpdesk_ticket_cc', kwargs={'ticket_id': cc.ticket.id}))
|
||||||
@ -1321,6 +1339,8 @@ ticket_cc_del = staff_member_required(ticket_cc_del)
|
|||||||
|
|
||||||
def ticket_dependency_add(request, ticket_id):
|
def ticket_dependency_add(request, ticket_id):
|
||||||
ticket = get_object_or_404(Ticket, id=ticket_id)
|
ticket = get_object_or_404(Ticket, id=ticket_id)
|
||||||
|
if not _has_access_to_queue(request.user, ticket.queue):
|
||||||
|
raise PermissionDenied()
|
||||||
if request.method == 'POST':
|
if request.method == 'POST':
|
||||||
form = TicketDependencyForm(request.POST)
|
form = TicketDependencyForm(request.POST)
|
||||||
if form.is_valid():
|
if form.is_valid():
|
||||||
@ -1351,6 +1371,8 @@ ticket_dependency_del = staff_member_required(ticket_dependency_del)
|
|||||||
|
|
||||||
def attachment_del(request, ticket_id, attachment_id):
|
def attachment_del(request, ticket_id, attachment_id):
|
||||||
ticket = get_object_or_404(Ticket, id=ticket_id)
|
ticket = get_object_or_404(Ticket, id=ticket_id)
|
||||||
|
if not _has_access_to_queue(request.user, ticket.queue):
|
||||||
|
raise PermissionDenied()
|
||||||
attachment = get_object_or_404(Attachment, id=attachment_id)
|
attachment = get_object_or_404(Attachment, id=attachment_id)
|
||||||
attachment.delete()
|
attachment.delete()
|
||||||
return HttpResponseRedirect(reverse('helpdesk_view', args=[ticket_id]))
|
return HttpResponseRedirect(reverse('helpdesk_view', args=[ticket_id]))
|
||||||
|
Loading…
Reference in New Issue
Block a user