Fix the blacklist forms, restricted access to disable users

app/hr/templates/hr/blacklist/blacklist.html

@@ -3,24 +3,30 @@
 {% block title %}Blacklist User{% endblock %}
 
 {% block content %}
+<div class="page-header">
   <h1>Add Blacklist</h1>
+</div>
 
 <p>This form will blacklist the listed user below. It'll process all entries for the user and blacklist the following:</p>
 <ul>
   <li>EVE API Keys</li>
   <li>Characters</li>
   <li>Email Addresses</li>
-{% if "reddit"|installed %}
+  {% if "reddit"|installed %}<li>Reddit Accounts</li>{% endif %}
-<li>Reddit Accounts</li>
-{% endif %}
 </ul>
 
 <form action="{% url hr-blacklistuser blacklistuser.id %}" method="post">
-<table>
+<fieldset>
-<tr><th><label>User:</label></th><td>{{ blacklistuser.username }}</td></tr> 
+  <div class="clearfix">
-{{ form.as_table }}
+    <label for="u">User</label>
-</table>
+    <div class="input"><input id="u" value="{{ blacklistuser.username }}" disabled="true"/></div>
+  </div>
+  {% include "formtools/formfield.html" with field=form.level %}
+  {% include "formtools/formfield.html" with field=form.reason class="xxlarge" %}
+  {% include "formtools/formfield.html" with field=form.expiry_date %}
+  {% include "formtools/formfield.html" with field=form.disable %}
   {% csrf_token %}
-<input type="submit" value="Blacklist" />
+  <input type="submit" value="Blacklist" class="btn error"/>
+</fieldset>
 </form>
 {% endblock %}

app/hr/templates/hr/blacklist_list.html

@@ -36,7 +36,7 @@
   <ul>
     <li class="prev{% if not page_obj.has_previous %} disabled{% endif %}"><a href="{% if page_obj.has_previous %}?page={{ page_obj.previous_page_number }}{% endif %}">Previous</a></li>
     {% for i in paginator.page_range %}
-    <li{% if i == page.number %} class="active"{% endif %}><a href="?page={{ i }}">{{ i }}</a></li>
+    <li{% if i == page_obj.number %} class="active"{% endif %}><a href="?page={{ i }}">{{ i }}</a></li>
     {% endfor %}
     <li class="next{% if not page_obj.has_next %} disabled{% endif %}"><a href="{% if page_obj.has_next %}?page={{page_obj.next_page_number }}{% endif %}">Next</a>
   </ul>

app/hr/views.py

@@ -344,6 +344,12 @@ class HrBlacklistUser(FormView):
     def blacklist_item(self, type, value):
         Blacklist(type=type, value=value, level=self.level, source=self.source, expiry_date=self.expiry, created_by=self.request.user, reason=self.reason).save()
 
+    def get_form(self, form_class):
+        obj = form_class()
+        if not (self.request.user.has_perm('auth.change_user') and self.request.user.has_perm('sso.delete_serviceaccount')):
+            obj.fields['disable'].widget.attrs['readonly'] = True
+        return obj
+
     def form_valid(self, form):
         self.source = BlacklistSource.objects.get(id=1)
         self.expiry = form.cleaned_data.get('expiry_date', None)
@@ -371,7 +377,7 @@ class HrBlacklistUser(FormView):
         messages.add_message(self.request, messages.INFO, "User %s has been blacklisted" % self.blacklist_user.username )
 
         # Disable the account if requested
-        if form.cleaned_data.get('disable', None):
+        if form.cleaned_data.get('disable', None) and self.request.user.has_perm('auth.change_user') and self.request.user.has_perm('sso.delete_serviceaccount'):
             self.blacklist_user.active = False
             self.blacklist_user.save()
             messages.add_message(self.request, messages.INFO, "User %s disabled" % self.blacklist_user.username)