.
This commit is contained in:
@@ -182,6 +182,27 @@ class ExamViews(View, LoginRequiredMixin):
|
||||
return False
|
||||
return True
|
||||
|
||||
def check_user_edit_access(self, user):
|
||||
"""Check if a user should be able to access a view
|
||||
|
||||
Args:
|
||||
user ([user]): user object
|
||||
|
||||
Returns:
|
||||
[boolean]: True if the user has access
|
||||
"""
|
||||
if self.app_name == "rapids" and not user.groups.filter(name='rapid_checker').exists():
|
||||
return False
|
||||
if self.app_name == "anatomy" and not user.groups.filter(name='anatomy_checker').exists():
|
||||
return False
|
||||
if self.app_name == "longs" and not user.groups.filter(name__in=('long_checker')).exists():
|
||||
return False
|
||||
if self.app_name == "physics" and not user.groups.filter(name='physic_checker').exists():
|
||||
return False
|
||||
if self.app_name == "sbas" and not user.groups.filter(name='sba_checker').exists():
|
||||
return False
|
||||
return True
|
||||
|
||||
|
||||
|
||||
@method_decorator(login_required)
|
||||
@@ -277,6 +298,10 @@ class ExamViews(View, LoginRequiredMixin):
|
||||
def exam_json_edit(self, request, pk):
|
||||
if request.is_ajax() and request.method == "POST":
|
||||
|
||||
if not self.check_user_edit_access(request.user):
|
||||
data = {"status": "error, invalid permisions"}
|
||||
return JsonResponse(data, status=400)
|
||||
|
||||
exam = get_object_or_404(self.Exam, pk=pk)
|
||||
|
||||
if "add_exam_questions" in request.POST:
|
||||
|
||||
Reference in New Issue
Block a user