smaa/octopus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
Files
0c64aac5705651259f1c4b20dc53768867d55c63
octopus/myproject/user_roles/views.py
Andrey Smakotin f2c1f7e02d feat: add self-modification protection for user roles 
Protect owners from accidentally locking themselves out by:
- Adding RoleService.can_modify_user_role() to centralize validation logic
- Blocking edit/delete operations on own role in views
- Hiding edit/delete buttons for own role in template

This prevents owners from:
- Changing their own role to a lower privilege level
- Deactivating themselves
- Deleting their own access

Standard admin pattern used by GitHub, WordPress, Django Admin.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-01 23:06:54 +03:00

123 lines
4.2 KiB
Python
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
from django.shortcuts import render, redirect, get_object_or_404
from django.contrib.auth.decorators import login_required
from django.contrib import messages
from django.contrib.auth import get_user_model
from user_roles.models import Role, UserRole
from user_roles.services import RoleService
from user_roles.decorators import owner_required
User = get_user_model()
@login_required
@owner_required
def user_role_list(request):
"""Список пользователей с их ролями"""
user_roles = UserRole.objects.select_related('user', 'role', 'created_by').all()
roles = Role.objects.all()
context = {
'user_roles': user_roles,
'roles': roles,
}
return render(request, 'user_roles/user_role_list.html', context)
@login_required
@owner_required
def user_role_create(request):
"""Создание нового пользователя с ролью"""
if request.method == 'POST':
email = request.POST.get('email')
name = request.POST.get('name')
role_code = request.POST.get('role')
password = request.POST.get('password', User.objects.make_random_password(12))
try:
# Создаем пользователя
user = User.objects.create_user(
email=email,
name=name,
password=password,
is_email_confirmed=True
)
# Назначаем роль
RoleService.assign_role_to_user(user, role_code, created_by=request.user)
messages.success(request, f'Пользователь {email} создан с ролью {role_code}. Пароль: {password}')
return redirect('user_roles:list')
except Exception as e:
messages.error(request, f'Ошибка при создании пользователя: {str(e)}')
roles = Role.objects.all()
context = {
'roles': roles,
}
return render(request, 'user_roles/user_role_create.html', context)
@login_required
@owner_required
def user_role_edit(request, pk):
"""Изменение роли пользователя"""
user_role = get_object_or_404(UserRole, pk=pk)
# Защита от самоблокировки
can_modify, error_message = RoleService.can_modify_user_role(request.user, user_role)
if not can_modify:
messages.error(request, error_message)
return redirect('user_roles:list')
if request.method == 'POST':
role_code = request.POST.get('role')
is_active = request.POST.get('is_active') == 'on'
try:
# Обновляем роль
role = RoleService.get_role_by_code(role_code)
if not role:
raise ValueError(f"Роль '{role_code}' не найдена")
user_role.role = role
user_role.is_active = is_active
user_role.save()
messages.success(request, f'Роль пользователя {user_role.user.email} обновлена')
return redirect('user_roles:list')
except Exception as e:
messages.error(request, f'Ошибка при обновлении роли: {str(e)}')
roles = Role.objects.all()
context = {
'user_role': user_role,
'roles': roles,
}
return render(request, 'user_roles/user_role_edit.html', context)
@login_required
@owner_required
def user_role_delete(request, pk):
"""Удаление роли пользователя (отключение доступа)"""
user_role = get_object_or_404(UserRole, pk=pk)
# Защита от самоблокировки
can_modify, error_message = RoleService.can_modify_user_role(request.user, user_role)
if not can_modify:
messages.error(request, error_message)
return redirect('user_roles:list')
if request.method == 'POST':
email = user_role.user.email
user_role.delete()
messages.success(request, f'Доступ пользователя {email} удален')
return redirect('user_roles:list')
context = {
'user_role': user_role,
}
return render(request, 'user_roles/user_role_delete.html', context)
Reference in New Issue View Git Blame Copy Permalink