Fix the blacklist forms, restricted access to disable users

2025-12-14 14:52:15 +00:00 · 2011-12-05 21:42:57 +00:00
parent fffe08b0b0
commit 01b161166c
3 changed files with 27 additions and 15 deletions
--- a/app/hr/templates/hr/blacklist/blacklist.html
+++ b/app/hr/templates/hr/blacklist/blacklist.html
@@ -3,24 +3,30 @@
 {% block title %}Blacklist User{% endblock %}

 {% block content %}
-<h1>Add Blacklist</h1>
+<div class="page-header">
+  <h1>Add Blacklist</h1>
+</div>

 <p>This form will blacklist the listed user below. It'll process all entries for the user and blacklist the following:</p>
 <ul>
-<li>EVE API Keys</li>
-<li>Characters</li>
-<li>Email Addresses</li>
-{% if "reddit"|installed %}
-<li>Reddit Accounts</li>
-{% endif %}
+  <li>EVE API Keys</li>
+  <li>Characters</li>
+  <li>Email Addresses</li>
+  {% if "reddit"|installed %}<li>Reddit Accounts</li>{% endif %}
 </ul>

 <form action="{% url hr-blacklistuser blacklistuser.id %}" method="post">
-<table>
-<tr><th><label>User:</label></th><td>{{ blacklistuser.username }}</td></tr> 
-{{ form.as_table }}
-</table>
-{% csrf_token %}
-<input type="submit" value="Blacklist" />
+<fieldset>
+  <div class="clearfix">
+    <label for="u">User</label>
+    <div class="input"><input id="u" value="{{ blacklistuser.username }}" disabled="true"/></div>
+  </div>
+  {% include "formtools/formfield.html" with field=form.level %}
+  {% include "formtools/formfield.html" with field=form.reason class="xxlarge" %}
+  {% include "formtools/formfield.html" with field=form.expiry_date %}
+  {% include "formtools/formfield.html" with field=form.disable %}
+  {% csrf_token %}
+  <input type="submit" value="Blacklist" class="btn error"/>
+</fieldset>
 </form>
 {% endblock %}
--- a/app/hr/templates/hr/blacklist_list.html
+++ b/app/hr/templates/hr/blacklist_list.html
@@ -36,7 +36,7 @@
  <ul>
    <li class="prev{% if not page_obj.has_previous %} disabled{% endif %}"><a href="{% if page_obj.has_previous %}?page={{ page_obj.previous_page_number }}{% endif %}">Previous</a></li>
    {% for i in paginator.page_range %}
-    <li{% if i == page.number %} class="active"{% endif %}><a href="?page={{ i }}">{{ i }}</a></li>
+    <li{% if i == page_obj.number %} class="active"{% endif %}><a href="?page={{ i }}">{{ i }}</a></li>
    {% endfor %}
    <li class="next{% if not page_obj.has_next %} disabled{% endif %}"><a href="{% if page_obj.has_next %}?page={{page_obj.next_page_number }}{% endif %}">Next</a>
  </ul>
--- a/app/hr/views.py
+++ b/app/hr/views.py
@@ -344,6 +344,12 @@ class HrBlacklistUser(FormView):
    def blacklist_item(self, type, value):
        Blacklist(type=type, value=value, level=self.level, source=self.source, expiry_date=self.expiry, created_by=self.request.user, reason=self.reason).save()

+    def get_form(self, form_class):
+        obj = form_class()
+        if not (self.request.user.has_perm('auth.change_user') and self.request.user.has_perm('sso.delete_serviceaccount')):
+            obj.fields['disable'].widget.attrs['readonly'] = True
+        return obj
+
    def form_valid(self, form):
        self.source = BlacklistSource.objects.get(id=1)
        self.expiry = form.cleaned_data.get('expiry_date', None)
@@ -371,7 +377,7 @@ class HrBlacklistUser(FormView):
        messages.add_message(self.request, messages.INFO, "User %s has been blacklisted" % self.blacklist_user.username )

        # Disable the account if requested
-        if form.cleaned_data.get('disable', None):
+        if form.cleaned_data.get('disable', None) and self.request.user.has_perm('auth.change_user') and self.request.user.has_perm('sso.delete_serviceaccount'):
            self.blacklist_user.active = False
            self.blacklist_user.save()
            messages.add_message(self.request, messages.INFO, "User %s disabled" % self.blacklist_user.username)