From 7561eabe522903a5f5ea5e6b8aef0f417697dadd Mon Sep 17 00:00:00 2001 From: Ozzie Isaacs Date: Wed, 7 Apr 2021 18:56:17 +0200 Subject: [PATCH] Implement Backend to deny editing Guest rights restriction #1938 --- cps/admin.py | 7 +++++++ cps/static/js/table.js | 1 + 2 files changed, 8 insertions(+) diff --git a/cps/admin.py b/cps/admin.py index 966e01ff..04ddbed1 100644 --- a/cps/admin.py +++ b/cps/admin.py @@ -335,6 +335,9 @@ def edit_list_user(param): elif param == 'kindle_mail': user.kindle_mail = valid_email(vals['value']) if vals['value'] else "" elif param == 'role': + if user.name == "Guest" and int(vals['field_index']) in \ + [constants.ROLE_ADMIN, constants.ROLE_PASSWD, constants.ROLE_EDIT_SHELFS]: + raise Exception(_("Guest can't have this role")) if vals['value'] == 'true': user.role |= int(vals['field_index']) else: @@ -345,6 +348,8 @@ def edit_list_user(param): return _(u"No admin user remaining, can't remove admin role", nick=user.name), 400 user.role &= ~int(vals['field_index']) elif param == 'sidebar_view': + if user.name == "Guest" and int(vals['field_index']) == constants.SIDEBAR_READ_AND_UNREAD: + raise Exception(_("Guest can't have this view")) if vals['value'] == 'true': user.sidebar_view |= int(vals['field_index']) else: @@ -358,6 +363,8 @@ def edit_list_user(param): elif param == 'denied_column_value': user.denied_column_value = vals['value'] elif param == 'locale': + if user.name == "Guest": + raise Exception(_("Guest's Locale is determined automatically and can't be set")) user.locale = vals['value'] elif param == 'default_language': user.default_language = vals['value'] diff --git a/cps/static/js/table.js b/cps/static/js/table.js index 332b7f54..b9e6a202 100644 --- a/cps/static/js/table.js +++ b/cps/static/js/table.js @@ -459,6 +459,7 @@ $(function() { $("input[data-name='admin_role'][data-pk='"+guest.data("pk")+"']").prop("disabled", true); $("input[data-name='passwd_role'][data-pk='"+guest.data("pk")+"']").prop("disabled", true); $("input[data-name='edit_shelf_role'][data-pk='"+guest.data("pk")+"']").prop("disabled", true); + $("input[data-name='sidebar_read_and_unread'][data-pk='"+guest.data("pk")+"']").prop("disabled", true); // ToDo: Disable delete },