added links

hr_module/static/js/csrf_token.js

@@ -1,4 +1,4 @@
-const csrftoken = getCookie('csrftoken');
+
 
 function getCookie(name) {
     let cookieValue = null;

hr_module/static/js/hr_module_change_employee_data.js

@@ -1,3 +1,4 @@
+const csrftoken = getCookie('csrftoken');
 
 var searchEmployeeButton = document.getElementById('load_employee_data_button')
 searchEmployeeButton.addEventListener('click', function(){

hr_module/static/js/hr_module_create_schedule.js

@@ -1,3 +1,4 @@
+const csrftoken = getCookie('csrftoken');
 
 var searchInput = document.getElementById('searched_string');
 searchInput.addEventListener("click", fetchSearchOptions);

hr_module/static/js/hr_module_show_schedule.js

@@ -1,4 +1,6 @@
 
+const csrftoken = getCookie('csrftoken');
+
 var parent = document.getElementById('calendar_box')
 document.onload = parent.appendChild(addCalendar(monthsAhead=3))
 formatCalendarContainerSize(document.getElementById('calendar_container'))

hr_module/templates/hr_module_base.html

@@ -8,6 +8,7 @@
 
 
 {% block core_content %}
+<script src="{% static '/js/csrf_token.js' %}"></script>
 
 <div class="sidebar">
 
@@ -43,6 +44,6 @@
 {% endblock %}
 </div>
 
-<script src="{% static '/js/csrf_token.js' %}"></script>
+
 
 {% endblock %}

hr_module/views.py

@@ -22,20 +22,45 @@ def change_employee_data(request):
     return render(request, template_name)
 
 def change_employee_data_api(request):
-
     if request.method == 'POST':
-        body = json.loads(request.body)
-        username = body['username']
+        if request.user.is_authenticated:
+            session_user = User.objects.select_related('employee').get(username=request.user.username)
+            session_user_username = session_user.username
+            session_user_manager_flag = session_user.employee.manager_flag
 
-        empl = User.objects.select_related('employee').get(username=username)
+            body = json.loads(request.body)
+            username = body['username']
 
-        record_employee = empl.employee.__dict__
-        record_user = empl.__dict__
-        response_dict = dict(record_user, **record_employee)
-        for i in ['_state', 'password']:
-            response_dict.pop(i)
-        print(response_dict)
-        return JsonResponse(response_dict, safe=False)
+            if request.user.is_superuser:
+                try:
+                    empl = User.objects.select_related('employee').get(username=username)
+                except Exception as e:
+                    print(e)
+                    empl = None
+            elif session_user_manager_flag == True:
+                try:
+                    print('checking manager flag')
+                    empl = User.objects.select_related('employee').get(username=username)
+                    if empl.employee.manager_username != session_user_username:
+                        empl = None
+                except Exception as e:
+                    print(e)
+                    empl = None
+            else:
+                empl = None
+
+            if empl is None:
+                return JsonResponse({'error': 'no_access_or_no_username'})
+
+            record_employee = empl.employee.__dict__
+            record_user = empl.__dict__
+            response_dict = dict(record_user, **record_employee)
+            for i in ['_state', 'password']:
+                response_dict.pop(i)
+            print(response_dict)
+            return JsonResponse(response_dict, safe=False)
+        else:
+            return JsonResponse({'error': 'not_authenticated'})
 
 
 def create_employees(request):