From c8cce83aa32f9f65497ae7f484e84c1a78aafc97 Mon Sep 17 00:00:00 2001
From: Claude Paroz <claude@2xlibre.net>
Date: Thu, 21 Feb 2019 09:51:14 +0100
Subject: [PATCH] Limit access to training pages to authorized users

---
 stages/views/__init__.py   |  2 ++
 templates/admin/index.html | 14 +++++++++-----
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/stages/views/__init__.py b/stages/views/__init__.py
index 1d8637d..180a32c 100644
--- a/stages/views/__init__.py
+++ b/stages/views/__init__.py
@@ -5,6 +5,7 @@ from collections import OrderedDict
 from datetime import date, datetime, timedelta
 
 from django.contrib import messages
+from django.contrib.auth.mixins import PermissionRequiredMixin
 from django.core.mail import EmailMessage
 from django.db.models import Count
 from django.http import HttpResponse, HttpResponseNotAllowed, HttpResponseRedirect
@@ -181,6 +182,7 @@ class AttributionView(TemplateView):
     When a student is chosen;
       * details of a student: StudentSummaryView
     """
+    permission_required = 'stages.change_training'
     template_name = 'attribution.html'
 
     def get_context_data(self, **kwargs):
diff --git a/templates/admin/index.html b/templates/admin/index.html
index d42f43c..10dac19 100644
--- a/templates/admin/index.html
+++ b/templates/admin/index.html
@@ -67,20 +67,26 @@ document.addEventListener("DOMContentLoaded", function(event) {
         </table>
         </div>
     {% endfor %}
-{% else %}
-    <p>{% trans "You don't have permission to edit anything." %}</p>
 {% endif %}
 </div>
 {% endblock %}
 
 {% block sidebar %}
 <div id="content-related">
+
+    {% if perms.stages.change_training %}
     <div class="module" id="custom-actions-module">
-    <h2>Interfaces spécifiques</h2>
+    <h2>Pratique professionnelle</h2>
     <ul>
       <li><a href="{% url 'attribution' %}">Organisation de la pratique professionnelle</a></li>
     </ul>
+    <ul>
+        <li style="margin-top: 1em;"><a href="{% url 'stages_export' %}">Exporter les données de pratique professionnelle</a> (récentes)</li>
+        <li><a href="{% url 'stages_export' 'all' %}">Exporter les données de pratique professionnelle</a> (toutes)</li>
+    </ul>
     </div>
+    {% endif %}
+
     <div class="module" id="custom-actions-module">
     <h2>Importation/exportation</h2>
     <ul>
@@ -88,8 +94,6 @@ document.addEventListener("DOMContentLoaded", function(event) {
         <li><a href="{% url 'import-students-ester' %}">Importer un fichier d'étudiants ESTER</a></li>
         <li><a href="{% url 'import-hp' %}">Importer le fichier HP</a></li>
         <li><a href="{% url 'import-hp-contacts' %}">Importer les formateurs (fichier HP)</a></li>
-        <li style="margin-top: 1em;"><a href="{% url 'stages_export' %}">Exporter les données de pratique professionnelle</a> (récentes)</li>
-        <li><a href="{% url 'stages_export' 'all' %}">Exporter les données de pratique professionnelle</a> (toutes)</li>
         <li><a href="{% url 'imputations_export' %}">Exporter les données comptables</a></li>
         <li><a href="{% url 'export_sap' %}">Exporter les données SAP</a></li>
         <li><a id="updateFormLink" href="{% url 'print_update_form' %}">Imprimer les formulaires de MAJ</a></li>