From 7d3e2ec7f24b00d88462c4155dee36a793b28fd7 Mon Sep 17 00:00:00 2001
From: Raphael Michel <mail@raphaelmichel.de>
Date: Tue, 23 Jun 2015 19:46:50 +0200
Subject: [PATCH] Refs #39 -- Hide links from users without permission

---
 src/pretix/control/middleware.py              |   6 +-
 .../templates/pretixcontrol/event/base.html   | 206 +++++++++---------
 .../templates/pretixcontrol/order/index.html  |  46 ++--
 src/pretix/plugins/banktransfer/signals.py    |   2 +
 4 files changed, 139 insertions(+), 121 deletions(-)

diff --git a/src/pretix/control/middleware.py b/src/pretix/control/middleware.py
index 34d966899a..0893775196 100644
--- a/src/pretix/control/middleware.py
+++ b/src/pretix/control/middleware.py
@@ -7,7 +7,7 @@ from django.contrib.auth import REDIRECT_FIELD_NAME
 from django.http import HttpResponseNotFound
 from django.utils.translation import ugettext as _
 
-from pretix.base.models import Event, Organizer
+from pretix.base.models import Event, Organizer, EventPermission
 
 
 class PermissionMiddleware:
@@ -54,6 +54,10 @@ class PermissionMiddleware:
                     permitted__id__exact=request.user.id,
                     organizer__slug=url.kwargs['organizer'],
                 ).select_related('organizer')[0]
+                request.eventperm = EventPermission.objects.current.get(
+                    event=request.event,
+                    user=request.user
+                )
                 request.organizer = request.event.organizer
             except IndexError:
                 return HttpResponseNotFound(_("The selected event was not found or you "
diff --git a/src/pretix/control/templates/pretixcontrol/event/base.html b/src/pretix/control/templates/pretixcontrol/event/base.html
index 83b7e5ec23..60ce6b41bc 100644
--- a/src/pretix/control/templates/pretixcontrol/event/base.html
+++ b/src/pretix/control/templates/pretixcontrol/event/base.html
@@ -9,104 +9,114 @@
             {% trans "Dashboard" %}
         </a>
     </li>
-    <li>
-        <a href="#">
-            <i class="fa fa-wrench fa-fw"></i>
-            {% trans "Settings" %}
-            <span class="fa arrow"></span>
-        </a>
-        <ul class="nav nav-second-level">
-            <li>
-                <a href="{% url 'control:event.settings' organizer=request.event.organizer.slug event=request.event.slug %}"
-                        {% if "event.settings" == url_name %}class="active"{% endif %}>
-                    {% trans "General" %}
-                </a>
-            </li>
-            <li>
-                <a href="{% url 'control:event.settings.permissions' organizer=request.event.organizer.slug event=request.event.slug %}"
-                        {% if "event.settings.permissions" == url_name %}class="active"{% endif %}>
-                    {% trans "Permissions" %}
-                </a>
-            </li>
-            <li>
-                <a href="{% url 'control:event.settings.payment' organizer=request.event.organizer.slug event=request.event.slug %}"
-                        {% if "event.settings.payment" == url_name %}class="active"{% endif %}>
-                    {% trans "Payment" %}
-                </a>
-            </li>
-            <li>
-                <a href="{% url 'control:event.settings.plugins' organizer=request.event.organizer.slug event=request.event.slug %}"
-                        {% if "event.settings.plugins" == url_name %}class="active"{% endif %} >
-                    {% trans "Plugins" %}
-                </a>
-            </li>
-            <li>
-                <a href="{% url 'control:event.settings.tickets' organizer=request.event.organizer.slug event=request.event.slug %}"
-                        {% if "event.settings.tickets" == url_name %}class="active"{% endif %} >
-                    {% trans "Tickets" %}
-                </a>
-            </li>
-        </ul>
-    </li>
-    <li>
-        <a href="#">
-            <i class="fa fa-ticket fa-fw"></i>
-            {% trans "Products" %}
-            <span class="fa arrow"></span>
-        </a>
-        <ul class="nav nav-second-level">
-            <li>
-                <a href="{% url 'control:event.items' organizer=request.event.organizer.slug event=request.event.slug %}"
-                        {% if "event.items" == url_name or "event.item." in url_name or url_name == "event.item" %}class="active"{% endif %}>
-                    {% trans "Products" %}</a>
-            </li>
-            <li>
-                <a href="{% url 'control:event.items.quotas' organizer=request.event.organizer.slug event=request.event.slug %}"
-                        {% if "event.items.quotas" in url_name %}class="active"{% endif %}>
-                    {% trans "Quotas" %}
-                </a>
-            </li>
-            <li>
-                <a href="{% url 'control:event.items.categories' organizer=request.event.organizer.slug event=request.event.slug %}"
-                        {% if "event.items.categories" in url_name %}class="active"{% endif %}>
-                    {% trans "Categories" %}
-                </a>
-            </li>
-            <li>
-                <a href="{% url 'control:event.items.properties' organizer=request.event.organizer.slug event=request.event.slug %}"
-                        {% if "event.items.properties" in url_name %}class="active"{% endif %}>
-                    {% trans "Properties" %}
-                </a>
-            </li>
-            <li>
-                <a href="{% url 'control:event.items.questions' organizer=request.event.organizer.slug event=request.event.slug %}"
-                        {% if "event.items.questions" in url_name %}class="active"{% endif %}>
-                    {% trans "Questions" %}
-                </a>
-            </li>
-        </ul>
-    </li>
-    <li>
-        <a href="#">
-            <i class="fa fa-shopping-cart fa-fw"></i>
-            {% trans "Orders" %}
-            <span class="fa arrow"></span>
-        </a>
-        <ul class="nav nav-second-level">
-            <li>
-                <a href="{% url 'control:event.orders' organizer=request.event.organizer.slug event=request.event.slug %}"
-                        {% if url_name == "event.orders" or "event.order." in url_name %}class="active"{% endif %}>
-                    {% trans "All orders" %}
-                </a>
-            </li>
-            <li>
-                <a href="{% url 'control:event.orders.overview' organizer=request.event.organizer.slug event=request.event.slug %}"
-                   {% if url_name == "event.orders.overview" %}class="active"{% endif %}>
-                    {% trans "Overview" %}
-                </a>
-            </li>
-        </ul>
-    </li>
+    {% if request.eventperm.can_change_settings or request.eventperm.can_change_permissions %}
+        <li>
+            <a href="#">
+                <i class="fa fa-wrench fa-fw"></i>
+                {% trans "Settings" %}
+                <span class="fa arrow"></span>
+            </a>
+            <ul class="nav nav-second-level">
+                {% if request.eventperm.can_change_settings %}
+                    <li>
+                        <a href="{% url 'control:event.settings' organizer=request.event.organizer.slug event=request.event.slug %}"
+                                {% if "event.settings" == url_name %}class="active"{% endif %}>
+                            {% trans "General" %}
+                        </a>
+                    </li>
+                    <li>
+                        <a href="{% url 'control:event.settings.payment' organizer=request.event.organizer.slug event=request.event.slug %}"
+                                {% if "event.settings.payment" == url_name %}class="active"{% endif %}>
+                            {% trans "Payment" %}
+                        </a>
+                    </li>
+                    <li>
+                        <a href="{% url 'control:event.settings.plugins' organizer=request.event.organizer.slug event=request.event.slug %}"
+                                {% if "event.settings.plugins" == url_name %}class="active"{% endif %} >
+                            {% trans "Plugins" %}
+                        </a>
+                    </li>
+                    <li>
+                        <a href="{% url 'control:event.settings.tickets' organizer=request.event.organizer.slug event=request.event.slug %}"
+                                {% if "event.settings.tickets" == url_name %}class="active"{% endif %} >
+                            {% trans "Tickets" %}
+                        </a>
+                    </li>
+                {% endif %}
+                {% if request.eventperm.can_change_permissions %}
+                    <li>
+                        <a href="{% url 'control:event.settings.permissions' organizer=request.event.organizer.slug event=request.event.slug %}"
+                           {% if "event.settings.permissions" == url_name %}class="active"{% endif %}>
+                            {% trans "Permissions" %}
+                        </a>
+                    </li>
+                {% endif %}
+            </ul>
+        </li>
+    {% endif %}
+    {% if request.eventperm.can_change_items %}
+        <li>
+            <a href="#">
+                <i class="fa fa-ticket fa-fw"></i>
+                {% trans "Products" %}
+                <span class="fa arrow"></span>
+            </a>
+            <ul class="nav nav-second-level">
+                <li>
+                    <a href="{% url 'control:event.items' organizer=request.event.organizer.slug event=request.event.slug %}"
+                            {% if "event.items" == url_name or "event.item." in url_name or url_name == "event.item" %}class="active"{% endif %}>
+                        {% trans "Products" %}</a>
+                </li>
+                <li>
+                    <a href="{% url 'control:event.items.quotas' organizer=request.event.organizer.slug event=request.event.slug %}"
+                            {% if "event.items.quotas" in url_name %}class="active"{% endif %}>
+                        {% trans "Quotas" %}
+                    </a>
+                </li>
+                <li>
+                    <a href="{% url 'control:event.items.categories' organizer=request.event.organizer.slug event=request.event.slug %}"
+                            {% if "event.items.categories" in url_name %}class="active"{% endif %}>
+                        {% trans "Categories" %}
+                    </a>
+                </li>
+                <li>
+                    <a href="{% url 'control:event.items.properties' organizer=request.event.organizer.slug event=request.event.slug %}"
+                            {% if "event.items.properties" in url_name %}class="active"{% endif %}>
+                        {% trans "Properties" %}
+                    </a>
+                </li>
+                <li>
+                    <a href="{% url 'control:event.items.questions' organizer=request.event.organizer.slug event=request.event.slug %}"
+                            {% if "event.items.questions" in url_name %}class="active"{% endif %}>
+                        {% trans "Questions" %}
+                    </a>
+                </li>
+            </ul>
+        </li>
+    {% endif %}
+    {% if request.eventperm.can_view_orders %}
+        <li>
+            <a href="#">
+                <i class="fa fa-shopping-cart fa-fw"></i>
+                {% trans "Orders" %}
+                <span class="fa arrow"></span>
+            </a>
+            <ul class="nav nav-second-level">
+                <li>
+                    <a href="{% url 'control:event.orders' organizer=request.event.organizer.slug event=request.event.slug %}"
+                            {% if url_name == "event.orders" or "event.order." in url_name %}class="active"{% endif %}>
+                        {% trans "All orders" %}
+                    </a>
+                </li>
+                <li>
+                    <a href="{% url 'control:event.orders.overview' organizer=request.event.organizer.slug event=request.event.slug %}"
+                       {% if url_name == "event.orders.overview" %}class="active"{% endif %}>
+                        {% trans "Overview" %}
+                    </a>
+                </li>
+            </ul>
+        </li>
+    {% endif %}
     {% for nav in nav_event %}
         <li>
             <a href="{{ nav.url }}" {% if nav.active %}class="active"{% endif %}>
diff --git a/src/pretix/control/templates/pretixcontrol/order/index.html b/src/pretix/control/templates/pretixcontrol/order/index.html
index 9a7092c5ad..713565141c 100644
--- a/src/pretix/control/templates/pretixcontrol/order/index.html
+++ b/src/pretix/control/templates/pretixcontrol/order/index.html
@@ -12,29 +12,31 @@
         {% endblocktrans %}
         {% include "pretixcontrol/orders/fragment_order_status.html" with order=order class="pull-right" %}
     </h1>
-    {% if order.status == 'n' or order.status == 'p' %}
-        <form action="{% url "control:event.order.transition" event=request.event.slug organizer=request.event.organizer.slug code=order.code %}"
-                method="post">
-            {% csrf_token %}
-            <div class="btn-toolbar" role="toolbar">
-                <div class="btn-group" role="group">
-                    {% if order.status == 'n' %}
-                        <button name="status" value="p" class="btn btn-default">{% trans "Mark as paid" %}</button>
-                        <a href="{% url "control:event.order.extend" event=request.event.slug organizer=request.event.organizer.slug code=order.code %}" class="btn btn-default">
-                            {% trans "Extend payment term" %}
-                        </a>
-                        <a href="{% url "control:event.order.transition" event=request.event.slug organizer=request.event.organizer.slug code=order.code %}?status=c" class="btn btn-default">
-                            {% trans "Cancel order" %}
-                        </a>
-                    {% elif order.status == 'p' %}
-                        <button name="status" value="n" class="btn btn-default">{% trans "Mark as not paid" %}</button>
-                        <a href="{% url "control:event.order.transition" event=request.event.slug organizer=request.event.organizer.slug code=order.code %}?status=r" class="btn btn-default">
-                            {% trans "Refund order" %}
-                        </a>
-                    {% endif %}
+    {% if request.eventperm.can_change_orders %}
+        {% if order.status == 'n' or order.status == 'p' %}
+            <form action="{% url "control:event.order.transition" event=request.event.slug organizer=request.event.organizer.slug code=order.code %}"
+                    method="post">
+                {% csrf_token %}
+                <div class="btn-toolbar" role="toolbar">
+                    <div class="btn-group" role="group">
+                        {% if order.status == 'n' %}
+                            <button name="status" value="p" class="btn btn-default">{% trans "Mark as paid" %}</button>
+                            <a href="{% url "control:event.order.extend" event=request.event.slug organizer=request.event.organizer.slug code=order.code %}" class="btn btn-default">
+                                {% trans "Extend payment term" %}
+                            </a>
+                            <a href="{% url "control:event.order.transition" event=request.event.slug organizer=request.event.organizer.slug code=order.code %}?status=c" class="btn btn-default">
+                                {% trans "Cancel order" %}
+                            </a>
+                        {% elif order.status == 'p' %}
+                            <button name="status" value="n" class="btn btn-default">{% trans "Mark as not paid" %}</button>
+                            <a href="{% url "control:event.order.transition" event=request.event.slug organizer=request.event.organizer.slug code=order.code %}?status=r" class="btn btn-default">
+                                {% trans "Refund order" %}
+                            </a>
+                        {% endif %}
+                    </div>
                 </div>
-            </div>
-        </form>
+            </form>
+        {% endif %}
     {% endif %}
     <div class="panel panel-primary items">
         <div class="panel-heading">
diff --git a/src/pretix/plugins/banktransfer/signals.py b/src/pretix/plugins/banktransfer/signals.py
index 162fe00bb9..634bbcd4a0 100644
--- a/src/pretix/plugins/banktransfer/signals.py
+++ b/src/pretix/plugins/banktransfer/signals.py
@@ -16,6 +16,8 @@ def register_payment_provider(sender, **kwargs):
 @receiver(nav_event)
 def control_nav_import(sender, request=None, **kwargs):
     url = resolve(request.path_info)
+    if not request.eventperm.can_change_orders:
+        return []
     return [
         {
             'label': _('Import bank data'),