From c5922c74eadbfa8b65740890bf8c6b0ad94c1ac9 Mon Sep 17 00:00:00 2001
From: Lance Edgar <lance@edbob.org>
Date: Thu, 6 Aug 2020 01:53:45 -0500
Subject: [PATCH] Be smarter about how we prevent edit/delete for some people,
 employees

instead of just hard-coding UUID for 'chuck'
---
 rattail_demo/web/views/employees.py | 28 +++++++++++++++++++++-------
 rattail_demo/web/views/people.py    | 20 ++++++++++++++++++--
 2 files changed, 39 insertions(+), 9 deletions(-)

diff --git a/rattail_demo/web/views/employees.py b/rattail_demo/web/views/employees.py
index 5fc99ae..594a443 100644
--- a/rattail_demo/web/views/employees.py
+++ b/rattail_demo/web/views/employees.py
@@ -1,23 +1,37 @@
-# -*- coding: utf-8 -*-
+# -*- coding: utf-8; -*-
 """
 Employee views
 """
 
-from __future__ import unicode_literals, absolute_import
-
 from tailbone.views import employees as base
+from tailbone.config import protected_usernames
 
 
-class EmployeesView(base.EmployeesView):
+class EmployeeView(base.EmployeesView):
     """
     Prevent edit/delete for Chuck Norris
     """
 
+    def __init__(self, request, **kwargs):
+        super(EmployeeView, self).__init__(request, **kwargs)
+        self.protected_usernames = protected_usernames(self.rattail_config)
+
+    def is_employee_protected(self, employee):
+        if self.protected_usernames:
+            for user in employee.person.users:
+                if user.username in self.protected_usernames:
+                    return True
+        return False
+
     def editable_instance(self, employee):
-        return employee.person_uuid != '30d1fe06bcf411e6a7c23ca9f40bc550'
+        if self.request.is_root:
+            return True
+        return not self.is_employee_protected(employee)
 
     def deletable_instance(self, employee):
-        return employee.person_uuid != '30d1fe06bcf411e6a7c23ca9f40bc550'
+        if self.request.is_root:
+            return True
+        return not self.is_employee_protected(employee)
 
 
 def includeme(config):
@@ -27,4 +41,4 @@ def includeme(config):
     config.add_view(base.EmployeesAutocomplete, route_name='employees.autocomplete',
                     renderer='json', permission='employees.list')
 
-    EmployeesView.defaults(config)
+    EmployeeView.defaults(config)
diff --git a/rattail_demo/web/views/people.py b/rattail_demo/web/views/people.py
index b7f8b6a..e614df9 100644
--- a/rattail_demo/web/views/people.py
+++ b/rattail_demo/web/views/people.py
@@ -5,6 +5,7 @@ Person views
 
 from tailbone.views import people as base
 from tailbone_corepos.views import people as corepos_base
+from tailbone.config import protected_usernames
 
 
 class PersonView(corepos_base.PersonView):
@@ -12,11 +13,26 @@ class PersonView(corepos_base.PersonView):
     Prevent edit/delete for Chuck Norris
     """
 
+    def __init__(self, request, **kwargs):
+        super(PersonView, self).__init__(request, **kwargs)
+        self.protected_usernames = protected_usernames(self.rattail_config)
+
+    def is_person_protected(self, person):
+        if self.protected_usernames:
+            for user in person.users:
+                if user.username in self.protected_usernames:
+                    return True
+        return False
+
     def editable_instance(self, person):
-        return person.uuid != '30d1fe06bcf411e6a7c23ca9f40bc550'
+        if self.request.is_root:
+            return True
+        return not self.is_person_protected(person)
 
     def deletable_instance(self, person):
-        return person.uuid != '30d1fe06bcf411e6a7c23ca9f40bc550'
+        if self.request.is_root:
+            return True
+        return not self.is_person_protected(person)
 
 
 def includeme(config):