Changeset f7dd5e7 for remit/vouchers
- Timestamp:
- Mar 29, 2010, 3:22:55 AM (14 years ago)
- Branches:
- master, client
- Children:
- 0a5a003
- Parents:
- ef500c1
- git-author:
- Alex Dehnert <adehnert@…> (03/29/10 03:22:55)
- git-committer:
- Alex Dehnert <adehnert@…> (03/29/10 03:22:55)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
remit/vouchers/views.py
ra75ed9b rf7dd5e7 2 2 from vouchers.models import ReimbursementRequest, Documentation 3 3 from finance_core.models import BudgetTerm, BudgetArea 4 from util.shortcuts import get_403_response 4 5 5 6 from django.contrib.auth.decorators import user_passes_test … … 168 169 def review_request(http_request, object_id): 169 170 request_obj = get_object_or_404(ReimbursementRequest, pk=object_id) 171 user = http_request.user 172 pagename = 'request_reimbursement' 170 173 new = False 171 174 if 'new' in http_request.REQUEST: … … 174 177 else: 175 178 new = False 179 180 if (user.has_perm('vouchers.view_requests') or 181 user.username == request_obj.submitter or 182 user.email.upper() == request_obj.check_to_email.upper() 183 ): 184 pass 185 else: 186 return get_403_response(http_request, errmsg="You do not have permission to access this reimbursement request. You can only view requests you submitted or are the recipient for, unless you have general viewing permissions.", pagename=pagename, ) 176 187 177 188 # DOCUMENTATION # … … 247 258 approve_form = VoucherizeForm(initial=initial) 248 259 249 # Display the content250 if not (http_request.user.has_perm('vouchers.view_requests')251 or http_request.user.username == request_obj.submitter):252 # I'd probably use a 403, but that requires like writing253 # a new template and stuff254 # So I'm going to call this "don't leak information"255 # and let it be256 raise Http404257 260 context = { 258 261 'rr':request_obj, 259 'pagename': 'request_reimbursement',262 'pagename':pagename, 260 263 'new': new, 261 264 'doc_form': doc_upload_form,
Note: See TracChangeset
for help on using the changeset viewer.