From 039a603f960852e16f28930e3f3e36c199fc6fe8 Mon Sep 17 00:00:00 2001
From: Thibaut Broggi <tbr@laquadrature.net>
Date: Wed, 29 Nov 2017 16:51:11 +0100
Subject: [PATCH] Add permission requirement for /user route

---
 apps/core/management/commands/init_groups.py | 5 +++--
 apps/rp/views/users.py                       | 6 ++++--
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/apps/core/management/commands/init_groups.py b/apps/core/management/commands/init_groups.py
index b32bee4..0b7f765 100644
--- a/apps/core/management/commands/init_groups.py
+++ b/apps/core/management/commands/init_groups.py
@@ -1,10 +1,11 @@
 from django.core.management.base import BaseCommand
 from django.contrib.auth.models import User, Group, Permission
 
-groups = ["jedi", "padawan"]
+groups = ["droid", "jedi", "padawan"]
 permissions = {
+    "droid": [],
     "jedi": [
-        "can_change_status", "can_change_priority", "can_vote", "can_edit"
+        "can_change_status", "can_change_priority", "can_vote", "can_edit", "can_edit_users"
     ],
     "padawan": ["can_vote", "add_article"]
 }
diff --git a/apps/rp/views/users.py b/apps/rp/views/users.py
index f63871b..5966bbd 100644
--- a/apps/rp/views/users.py
+++ b/apps/rp/views/users.py
@@ -1,11 +1,13 @@
 from django.contrib.auth.models import User
+from django.contrib.auth.mixins import PermissionRequiredMixin
 
 from django.views.generic.list import ListView
 
-class UserListView(ListView):
+class UserListView(PermissionRequiredMixin, ListView):
     model = User
     paginate_by = 20
-    template_name = "rp/user_list.html"
+    template_name = 'rp/user_list.html'
+    permission_required = 'can_edit_users'
 
     def get_queryset(self):
         qs = super().get_queryset()
-- 
GitLab