Changeset f7dd5e7 for remit/vouchers


Ignore:
Timestamp:
Mar 29, 2010, 3:22:55 AM (14 years ago)
Author:
Alex Dehnert <adehnert@…>
Branches:
master, client
Children:
0a5a003
Parents:
ef500c1
git-author:
Alex Dehnert <adehnert@…> (03/29/10 03:22:55)
git-committer:
Alex Dehnert <adehnert@…> (03/29/10 03:22:55)
Message:

Let voucher recipients see requests as well

File:
1 edited

Legend:

Unmodified
Added
Removed

  • remit/vouchers/views.py

    ra75ed9b rf7dd5e7  
    22from vouchers.models import ReimbursementRequest, Documentation
    33from finance_core.models import BudgetTerm, BudgetArea
     4from util.shortcuts import get_403_response
    45
    56from django.contrib.auth.decorators import user_passes_test
     
    168169def review_request(http_request, object_id):
    169170    request_obj = get_object_or_404(ReimbursementRequest, pk=object_id)
     171    user = http_request.user
     172    pagename = 'request_reimbursement'
    170173    new = False
    171174    if 'new' in http_request.REQUEST:
     
    174177        else:
    175178            new = False
     179
     180    if (user.has_perm('vouchers.view_requests') or
     181        user.username == request_obj.submitter or
     182        user.email.upper() == request_obj.check_to_email.upper()
     183        ):
     184        pass
     185    else:
     186        return get_403_response(http_request, errmsg="You do not have permission to access this reimbursement request. You can only view requests you submitted or are the recipient for, unless you have general viewing permissions.", pagename=pagename, )
    176187
    177188    # DOCUMENTATION #
     
    247258            approve_form = VoucherizeForm(initial=initial)
    248259
    249     # Display the content
    250     if not (http_request.user.has_perm('vouchers.view_requests')
    251         or http_request.user.username == request_obj.submitter):
    252         # I'd probably use a 403, but that requires like writing
    253         # a new template and stuff
    254         # So I'm going to call this "don't leak information"
    255         # and let it be
    256         raise Http404
    257260    context = {
    258261        'rr':request_obj,
    259         'pagename':'request_reimbursement',
     262        'pagename':pagename,
    260263        'new': new,
    261264        'doc_form': doc_upload_form,
Note: See TracChangeset for help on using the changeset viewer.