feat: restricted ticket modifications to specific users

ticketsystem/models.py

@@ -27,6 +27,7 @@ class Ticket(models.Model):
     def __str__(self):
         return f"[{self.get_priority_display()}] {self.title} ({self.get_status_display()})"
 
+
 class Comment(models.Model):
     ticket = models.ForeignKey("Ticket", on_delete=models.CASCADE, related_name="comments")
     author = models.ForeignKey(User, on_delete=models.CASCADE)

ticketsystem/templates/ticketsystem/detail.html

@@ -1,4 +1,17 @@
 {% block content %}
+{% if messages %}
+  <div style="max-width: 600px; margin: 1rem auto;">
+    {% for message in messages %}
+      <div style="padding: 1rem; border-radius: 5px; margin-bottom: 1rem;
+                  background-color: {% if message.tags == 'error' %}#f8d7da
+                                   {% elif message.tags == 'success' %}#d4edda
+                                   {% else %}#fff3cd{% endif %};
+                  color: #333;">
+        {{ message }}
+      </div>
+    {% endfor %}
+  </div>
+{% endif %}
 <style>
     .ticket-container {
       max-width: 700px;

ticketsystem/views.py

@@ -1,4 +1,3 @@
-from django.shortcuts import get_object_or_404, render
 from django.views.generic import ListView, TemplateView
 from django.views.generic.edit import CreateView, UpdateView
 from django.urls import reverse_lazy
@@ -6,6 +5,10 @@ from django.views.generic.detail import DetailView
 from django.views.generic.edit import FormMixin
 from .forms import CommentForm
 from django.urls import reverse
+from django.http import HttpResponseForbidden
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.contrib import messages
+from django.shortcuts import redirect
 
 from .models import Ticket
 
@@ -36,7 +39,7 @@ class TicketListView(ListView):
 
 
 class TicketDetailView(FormMixin, DetailView):
-    model = Ticket  # <- das ist wichtig!
+    model = Ticket
     template_name = "ticketsystem/detail.html"
     context_object_name = "ticket"
     form_class = CommentForm
@@ -62,20 +65,28 @@ class TicketDetailView(FormMixin, DetailView):
 
 class TicketCreateView(CreateView):
     model = Ticket
-    fields = ["title", "description", "priority", "assigned_to"]  # user & status setzen wir automatisch
+    fields = ["title", "description", "priority", "assigned_to"]  # user & status wird automatisch gesetzt
     template_name = "ticketsystem/ticket_form.html"
-    success_url = reverse_lazy("index")
+    success_url = reverse_lazy("ticket-list")
 
     def form_valid(self, form):
         form.instance.created_by = self.request.user  # Der angemeldete User wird automatisch gesetzt
         form.instance.status = "open"  # Neues Ticket beginnt immer als "offen"
         return super().form_valid(form)
 
-class TicketUpdateView(UpdateView):
+class TicketUpdateView(LoginRequiredMixin, UpdateView):
     model = Ticket
     fields = ["title", "description", "status", "priority", "assigned_to"]
-    template_name = "ticketsystem/ticket_form.html"  # kannst das gleiche Template wie beim Erstellen verwenden
-    success_url = reverse_lazy("index")  # oder zurück zur Detailseite
+    template_name = "ticketsystem/ticket_form.html"
+    success_url = reverse_lazy("ticket-list")
+
+    def dispatch(self, request, *args, **kwargs):
+        ticket = self.get_object()
+        user = request.user
+        if user != ticket.assigned_to:
+            messages.error(request, "⛔ Du darfst dieses Ticket nicht bearbeiten.")
+            return redirect("detail", pk=ticket.pk)
+        return super().dispatch(request, *args, **kwargs)
 
     def get_queryset(self):
         return Ticket.objects.all()  # Optional: Nur eigene Tickets bearbeiten lassen?