Sólo pueden editar admins y execs

Metronus · Jun 27, 2017 · db298d7 · db298d7
1 parent 5e6dcae
commit db298d7
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 6 deletions.
diff --git a/Metronus-Project/metronus/templates/employee/employee_list.html b/Metronus-Project/metronus/templates/employee/employee_list.html
@@ -4,6 +4,7 @@
 {% load l10n %}
 
 {% block title %}{% trans 'employeeList' %}{% endblock %}
+{% load custom_tags %}
 
 {% block content %}
 <!-- EMPLEADOS ACTIVOS -->
@@ -48,13 +49,17 @@ <h2>{% trans 'employeeList' %}</h2>
               <td>{{employee.phone}}</td>
               <td class="hidden-xs">{{employee.registryDate}}</td>
               <td>
-                  <a href="{% url 'employee_view' employee.user.username %}" type="button" class="btn btn-success">
-                  {% trans 'details' %}</a>
+                  {% if actor_is_admin or actor_is_executive %}
+                    <a href="{% url 'employee_view' employee.user.username %}" type="button" class="btn btn-success">
+                    {% trans 'details' %}</a>
+                  {% endif %}
               </td>
               <td class="hidden-xs">
-                <a href="{% url 'employee_edit' employee.user.username %}" type="button" class="btn btn-dark">
+                {% if actor_is_admin or actor_is_executive %}
+                  <a href="{% url 'employee_edit' employee.user.username %}" type="button" class="btn btn-dark">
                   {% trans 'update' %}
-                </a>
+                  </a>
+                {% endif %}
               </td>
               <td class="hidden-xs">
                 <a href="#" class="btn btn-danger" data-href="{% url 'employee_delete' employee.user.username %}"

diff --git a/Metronus-Project/metronus_app/controllers/employeeController.py b/Metronus-Project/metronus_app/controllers/employeeController.py
@@ -21,7 +21,7 @@
 from django.http import HttpResponse
 
 from metronus_app.common_utils import (is_role_updatable_by_user, check_image, get_current_employee_or_403, send_mail,
-                                       is_email_unique, is_username_unique, get_authorized_or_403,default_round,validate_pass)
+                                       is_email_unique, is_username_unique, get_authorized_or_403,default_round,validate_pass, get_admin_executive_or_403)
 from datetime import date, timedelta, datetime
 import re
 
@@ -256,7 +256,7 @@ def edit(request, username):
     """
 
     # Check that the user is logged in and it's an administrator
-    admin = get_authorized_or_403(request)
+    admin = get_admin_executive_or_403(request)
     employee = get_object_or_404(Employee, user__username=username)
 
     # Check that the admin has permission to view that employee