From 8b28f73bdbd77a3758f249cd766ef3a4d97ada64 Mon Sep 17 00:00:00 2001 From: Danhia Date: Sun, 24 Sep 2023 15:17:49 +0200 Subject: [PATCH] added special permissions to allow a group of user to manage event-related objects --- src/ctfs/admin.py | 55 +++++++++++++-- src/events/admin.py | 77 ++++++++++++++++++++- src/events/templates/events/event_info.html | 2 +- src/events/views/events.py | 75 ++++++++++---------- 4 files changed, 167 insertions(+), 42 deletions(-) diff --git a/src/ctfs/admin.py b/src/ctfs/admin.py index c563116..3a1a66f 100644 --- a/src/ctfs/admin.py +++ b/src/ctfs/admin.py @@ -2,8 +2,6 @@ from django.contrib import admin from .models import Category, CTF, CTF_flags admin.site.register(Category) -#admin.site.register(CTF) -#admin.site.register(CTF_flags) @admin.register(CTF_flags) class ctf_flags(admin.ModelAdmin): @@ -14,12 +12,61 @@ class ctf_flags(admin.ModelAdmin): # search list search_fields = ['ctf__category__name', 'ctf__name', 'user__username'] + def get_queryset(self, request): + qs = super().get_queryset(request) + if request.user.is_superuser: + return qs + groups = list(request.user.groups.values_list('name', flat=True)) + return qs.filter(event__name__in=groups) + + def has_view_permission(self, request, obj=None): + if request.user.is_superuser: + return True + if obj is not None: + return request.user.groups.filter(name=obj.event.name).exists() + return super().has_view_permission(request, obj) + + def has_change_permission(self, request, obj=None): + if request.user.is_superuser: + return True + if obj is not None: + return request.user.groups.filter(name=obj.event.name).exists() + return super().has_change_permission(request, obj) + + def has_delete_permission(self, request, obj=None): + if request.user.is_superuser: + return True + if obj is not None: + return request.user.groups.filter(name=obj.event.name).exists() + return super().has_delete_permission(request, obj) + @admin.register(CTF) class ctf(admin.ModelAdmin): #list display - list_display = ['name', 'event', 'category'] + list_display = ['name', 'event', 'category', 'points'] #list Filter list_filter = ('category', 'event') # search list search_fields = ['category__name', 'name', 'author__username'] -# Register your models here. + + def get_queryset(self, request): + qs = super().get_queryset(request) + if request.user.is_superuser: + return qs + groups = list(request.user.groups.values_list('name', flat=True)) + return qs.filter(event__name__in=groups) + + def has_view_permission(self, request, obj=None): + if request.user.is_superuser: + return True + if obj is not None: + return request.user.groups.filter(name=obj.event.name).exists() + return super().has_view_permission(request, obj) + + def has_change_permission(self, request, obj=None): + if request.user.is_superuser: + return True + if obj is not None: + return request.user.groups.filter(name=obj.event.name).exists() + return super().has_change_permission(request, obj) + diff --git a/src/events/admin.py b/src/events/admin.py index e4d542f..9ac28fe 100644 --- a/src/events/admin.py +++ b/src/events/admin.py @@ -8,6 +8,27 @@ class event(admin.ModelAdmin): # search list search_fields = ['name', 'slug', 'description', 'password'] + def get_queryset(self, request): + qs = super().get_queryset(request) + if request.user.is_superuser: + return qs + groups = list(request.user.groups.values_list('name', flat=True)) + return qs.filter(name__in=groups) + + def has_view_permission(self, request, obj=None): + if request.user.is_superuser: + return True + if obj is not None: + return request.user.groups.filter(name=obj.name).exists() + return super().has_view_permission(request, obj) + + def has_change_permission(self, request, obj=None): + if request.user.is_superuser: + return True + if obj is not None: + return request.user.groups.filter(name=obj.name).exists() + return super().has_change_permission(request, obj) + @admin.register(EventPlayer) class score(admin.ModelAdmin): #list display @@ -17,7 +38,33 @@ class score(admin.ModelAdmin): # search list search_fields = ['user__username', 'score', 'event__name'] -# Register your models here. + def get_queryset(self, request): + qs = super().get_queryset(request) + if request.user.is_superuser: + return qs + groups = list(request.user.groups.values_list('name', flat=True)) + return qs.filter(event__name__in=groups) + + def has_view_permission(self, request, obj=None): + if request.user.is_superuser: + return True + if obj is not None: + return request.user.groups.filter(name=obj.event.name).exists() + return super().has_view_permission(request, obj) + + def has_change_permission(self, request, obj=None): + if request.user.is_superuser: + return True + if obj is not None: + return request.user.groups.filter(name=obj.event.name).exists() + return super().has_change_permission(request, obj) + + def has_delete_permission(self, request, obj=None): + if request.user.is_superuser: + return True + if obj is not None: + return request.user.groups.filter(name=obj.event.name).exists() + return super().has_delete_permission(request, obj) @admin.register(Team) class team(admin.ModelAdmin): @@ -28,6 +75,34 @@ class team(admin.ModelAdmin): # search list search_fields = ['name'] + def get_queryset(self, request): + qs = super().get_queryset(request) + if request.user.is_superuser: + return qs + groups = list(request.user.groups.values_list('name', flat=True)) + return qs.filter(event__name__in=groups) + + def has_view_permission(self, request, obj=None): + if request.user.is_superuser: + return True + if obj is not None: + return request.user.groups.filter(name=obj.event.name).exists() + return super().has_view_permission(request, obj) + + def has_change_permission(self, request, obj=None): + if request.user.is_superuser: + return True + if obj is not None: + return request.user.groups.filter(name=obj.event.name).exists() + return super().has_change_permission(request, obj) + + def has_delete_permission(self, request, obj=None): + if request.user.is_superuser: + return True + if obj is not None: + return request.user.groups.filter(name=obj.event.name).exists() + return super().has_delete_permission(request, obj) + @admin.register(Bonus) class bonus(admin.ModelAdmin): #list display diff --git a/src/events/templates/events/event_info.html b/src/events/templates/events/event_info.html index d1ed50e..1f523a8 100644 --- a/src/events/templates/events/event_info.html +++ b/src/events/templates/events/event_info.html @@ -26,7 +26,7 @@ {% endif %}