From 7acc562b533b0fca1171792fc5a1735420a6de07 Mon Sep 17 00:00:00 2001 From: j Date: Thu, 31 May 2018 17:27:05 +0200 Subject: [PATCH] only admins can change rightslevel --- pandora/user/views.py | 2 +- static/js/usersDialog.js | 32 ++++++++++++++++++++------------ 2 files changed, 21 insertions(+), 13 deletions(-) diff --git a/pandora/user/views.py b/pandora/user/views.py index 83432bf1..182a602b 100644 --- a/pandora/user/views.py +++ b/pandora/user/views.py @@ -362,7 +362,7 @@ def editUser(request, data): response = json_response(status=403, text='email already in use') return render_to_json_response(response) user.email = data['email'] - if 'level' in data: + if 'level' in data and request.user.profile.get_level() == 'admin': profile.set_level(data['level']) if 'notes' in data: profile.notes = data['notes'] diff --git a/static/js/usersDialog.js b/static/js/usersDialog.js index 4455d547..bf997c64 100644 --- a/static/js/usersDialog.js +++ b/static/js/usersDialog.js @@ -680,19 +680,27 @@ pandora.ui.usersDialog = function() { } }), - Ox.Select({ - id: 'level', - items: pandora.site.userLevels.slice(1).map(function(level) { - return { - id: level, - title: Ox.toTitleCase(level) - }; + pandora.user.level == 'admin' + ? Ox.Select({ + id: 'level', + items: pandora.site.userLevels.slice(1).map(function(level) { + return { + id: level, + title: Ox.toTitleCase(level) + }; + }), + label: Ox._('Level'), + labelWidth: 80, + value: user.level, + width: formWidth - 16 + }) : Ox.Input({ + disabled: true, + id: 'level', + label: Ox._('Level'), + labelWidth: 80, + value: Ox.toTitleCase(user.level), + width: formWidth - 16 }), - label: Ox._('Level'), - labelWidth: 80, - value: user.level, - width: formWidth - 16 - }), Ox.Checkbox({ id: 'newsletter', label: Ox._('Newsletter'),