apps/member/tables.py

@@ -43,24 +43,8 @@ class UserTable(tables.Table):
 
     section = tables.Column(accessor='profile__section')
 
-    # Override the column to let replace the URL
-    email = tables.EmailColumn(linkify=lambda record: "mailto:{}".format(record.email))
-
     balance = tables.Column(accessor='note__balance', verbose_name=_("Balance"))
 
-    def render_email(self, record, value):
-        # Replace the email by a dash if the user can't see the profile detail
-        # Replace also the URL
-        if not PermissionBackend.check_perm(get_current_authenticated_user(), "member.view_profile", record.profile):
-            value = "—"
-            record.email = value
-        return value
-
-    def render_section(self, record, value):
-        return value \
-            if PermissionBackend.check_perm(get_current_authenticated_user(), "member.view_profile", record.profile) \
-            else "—"
-
     def render_balance(self, record, value):
         return pretty_money(value)\
             if PermissionBackend.check_perm(get_current_authenticated_user(), "note.view_note", record.note) else "—"

apps/member/templates/member/includes/profile_info.html

@@ -25,27 +25,25 @@
         </a>
     </dd>
 
-    {% if "member.view_profile"|has_perm:user_object.profile %}
+    <dt class="col-xl-6">{% trans 'section'|capfirst %}</dt>
-        <dt class="col-xl-6">{% trans 'section'|capfirst %}</dt>
+    <dd class="col-xl-6">{{ user_object.profile.section }}</dd>
-        <dd class="col-xl-6">{{ user_object.profile.section }}</dd>
 
-        <dt class="col-xl-6">{% trans 'email'|capfirst %}</dt>
+    <dt class="col-xl-6">{% trans 'email'|capfirst %}</dt>
-        <dd class="col-xl-6"><a href="mailto:{{ user_object.email }}">{{ user_object.email }}</a></dd>
+    <dd class="col-xl-6"><a href="mailto:{{ user_object.email }}">{{ user_object.email }}</a></dd>
 
-        <dt class="col-xl-6">{% trans 'phone number'|capfirst %}</dt>
+    <dt class="col-xl-6">{% trans 'phone number'|capfirst %}</dt>
-        <dd class="col-xl-6"><a href="tel:{{ user_object.profile.phone_number }}">{{ user_object.profile.phone_number }}</a>
+    <dd class="col-xl-6"><a href="tel:{{ user_object.profile.phone_number }}">{{ user_object.profile.phone_number }}</a>
-        </dd>
+    </dd>
 
-        <dt class="col-xl-6">{% trans 'address'|capfirst %}</dt>
+    <dt class="col-xl-6">{% trans 'address'|capfirst %}</dt>
-        <dd class="col-xl-6">{{ user_object.profile.address }}</dd>
+    <dd class="col-xl-6">{{ user_object.profile.address }}</dd>
 
-        {% if user_object.note and "note.view_note"|has_perm:user_object.note %}
+    {% if user_object.note and "note.view_note"|has_perm:user_object.note %}
-        <dt class="col-xl-6">{% trans 'balance'|capfirst %}</dt>
+    <dt class="col-xl-6">{% trans 'balance'|capfirst %}</dt>
-        <dd class="col-xl-6">{{ user_object.note.balance | pretty_money }}</dd>
+    <dd class="col-xl-6">{{ user_object.note.balance | pretty_money }}</dd>
 
-        <dt class="col-xl-6">{% trans 'paid'|capfirst %}</dt>
+    <dt class="col-xl-6">{% trans 'paid'|capfirst %}</dt>
-        <dd class="col-xl-6">{{ user_object.profile.paid|yesno }}</dd>
+    <dd class="col-xl-6">{{ user_object.profile.paid|yesno }}</dd>
-        {% endif %}
     {% endif %}
 </dl>
 

apps/member/views.py

@@ -70,11 +70,10 @@ class UserUpdateView(ProtectQuerysetMixin, LoginRequiredMixin, UpdateView):
         form.fields['email'].required = True
         form.fields['email'].help_text = _("This address must be valid.")
 
-        if PermissionBackend.check_perm(self.request.user, "member.change_profile", context['user_object'].profile):
+        context['profile_form'] = self.profile_form(instance=context['user_object'].profile,
-            context['profile_form'] = self.profile_form(instance=context['user_object'].profile,
+                                                    data=self.request.POST if self.request.POST else None)
-                                                        data=self.request.POST if self.request.POST else None)
+        if not self.object.profile.report_frequency:
-            if not self.object.profile.report_frequency:
+            del context['profile_form'].fields["last_report"]
-                del context['profile_form'].fields["last_report"]
 
         return context
 

apps/permission/fixtures/initial.json

@@ -2839,22 +2839,6 @@
 			"description": "Voir n'importe quel profil non encore inscrit"
 		}
 	},
-	{
-		"model": "permission.permission",
-		"pk": 182,
-		"fields": {
-			"model": [
-				"auth",
-				"user"
-			],
-			"query": "{\"memberships__club__name\": \"BDE\", \"memberships__roles__name\": \"Adhérent BDE\", \"memberships__date_start__lte\": [\"today\"], \"memberships__date_end__gte\": [\"today\"]}",
-			"type": "view",
-			"mask": 2,
-			"field": "",
-			"permanent": false,
-			"description": "Voir n'importe quel utilisateur qui est adhérent BDE"
-		}
-	},
 	{
 		"model": "permission.role",
 		"pk": 1,
@@ -2987,14 +2971,14 @@
 				62,
 				127,
 				133,
+				135,
 				136,
 				141,
 				142,
 				150,
 				166,
 				167,
-				168,
+				168
-				182
 			]
 		}
 	},
@@ -3287,12 +3271,7 @@
 				170,
 				171,
 				176,
-				177,
+				177
-				178,
-				179,
-				180,
-				181,
-				182
 			]
 		}
 	},
@@ -3487,9 +3466,7 @@
 				56,
 				57,
 				58,
-				137,
 				143,
-				147,
 				150,
 				166,
 				167,
@@ -3497,8 +3474,7 @@
 				176,
 				177,
 				180,
-				181,
+				181
-				182
 			]
 		}
 	},

apps/permission/models.py

@@ -45,7 +45,6 @@ class InstancedPermission:
                 with transaction.atomic():
                     sid = transaction.savepoint()
                     for o in self.model.model_class().objects.filter(pk=0).all():
-                        o._no_signal = True
                         o._force_delete = True
                         Model.delete(o)
                         # An object with pk 0 wouldn't deleted. That's not normal, we alert admins.
@@ -63,6 +62,10 @@ class InstancedPermission:
                     obj._no_signal = True
                     Model.save(obj, force_insert=True)
                     ret = self.model.model_class().objects.filter(self.query & Q(pk=0)).exists()
+                    # Delete testing object
+                    obj._no_signal = True
+                    obj._force_delete = True
+                    Model.delete(obj)
                     transaction.savepoint_rollback(sid)
 
                 return ret

apps/permission/views.py

@@ -51,10 +51,8 @@ class ProtectQuerysetMixin:
         # No worry if the user change the hidden fields: a 403 error will be performed if the user tries to make
         # a custom request.
         # We could also delete the field, but some views might be affected.
-        meta = form.instance._meta
         for key in form.base_fields:
-            if not PermissionBackend.check_perm(self.request.user,
+            if not PermissionBackend.check_perm(self.request.user, "wei.change_weiregistration_" + key, self.object):
-                                                f"{meta.app_label}.change_{meta.model_name}_" + key, self.object):
                 form.fields[key].widget = HiddenInput()
 
         return form