Zugriffsprobleme

2021-06-11 12:28:39 +02:00 · 2021-06-11 12:28:39 +02:00 · 72cfd367a0
parent d519b1418f
commit 72cfd367a0
6 changed files with 197 additions and 216 deletions
--- a/digitaleagentur/urls.py
+++ b/digitaleagentur/urls.py
@ -46,8 +46,6 @@ urlpatterns = [
    path('getdoc/<path:path>/<int:agpk>', GetCryptFileRecover.as_view(), name=FETCH_URL_NAME),
    path('getdoc/<path:path>', GetCryptFile.as_view(), name=FETCH_URL_NAME),
    path('captcha/', include('captcha.urls')),
 ] + static(settings.STATIC_URL, document_root=settings.STATIC_ROOT)
 if settings.DEBUG:
    urlpatterns += static(settings.MEDIA_URL, document_root=settings.MEDIA_ROOT)
--- a/recoverdir/views.py
+++ b/recoverdir/views.py
@ -20,9 +20,7 @@ from django.contrib.auth.models import User
 from django.core.exceptions import ObjectDoesNotExist
 from django.contrib import messages
 ######## HELPER FUNCTIONS
 def randomString(stringLength=40):
    """Generate a random string of fixed length """
    letters = string.ascii_lowercase
@ -47,7 +45,6 @@ def randomStringRecoverKey():
 '''
 def checkForLogin(self):
 	# Acutal Timestamp
 	now = datetime.now()
 	userloginrdtime = self.request.user.profile.rd_login
@ -66,7 +63,6 @@ def checkForLogin(self):
 		return True
 ############################################# EXTERNAL ACCESS ############################################
 class LoadExternalDataLogin(FormView):
 	template_name = "recoverdir/rd_external_login.html"
 	form_class = LoginRDExternalForm
@ -94,8 +90,6 @@ class LoadExternalDataLogin(FormView):
 class CloseExternalData(TemplateView):
 	template_name = ""
 	def dispatch(self, *arg, **kwargs):
 		try:
 			settings = RecoverDirSetting.objects.filter(agency_id=kwargs['agpk'])[0]
@ -108,7 +102,6 @@ class CloseExternalData(TemplateView):
 		messages.warning(self.request, f'Externer Zugang erfolgreich geschlossen.')
 		return redirect('load-rd-external')
 class LoadExternalData(TemplateView):
 	template_name = "recoverdir/rd_external.html"
 	context_object_name = 'agencydata'
@ -239,10 +232,7 @@ class LoadExternalData(TemplateView):
 		})
 		return context
 ############# VIEWS
 # Create your views here.
 class RecoverDirManagement(LoginRequiredMixin, ListView):
 	model = PersLetter
@ -389,8 +379,6 @@ def CloseRecoverDir(request):
 	request.user.profile.save()
 	return redirect('recoverdir')
 class RecoverDirLog(FormView):
 	template_name = "recoverdir/rd_elements_forms/rd_mainlogin.html"
 	form_class = LoginRDForm
@ -470,7 +458,6 @@ class RecoverDirUpdateSettings(UpdateView):
 			return redirect('recoverdir-addsettings')
 		return super().form_valid(form)
 class RecoverDirAddPL(CreateView):
 	model = PersLetter
 	success_url = reverse_lazy('recoverdir')
@ -478,7 +465,7 @@ class RecoverDirAddPL(CreateView):
 	template_name = "recoverdir/rd_pers_add.html"
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -493,10 +480,8 @@ class RecoverDirAddPL(CreateView):
 	def form_valid(self, form):
 		form.instance.agency = self.request.user.profile.agency
 		form.instance.user = self.request.user
 		# TASK: Hier Aktualisierung hinzufügen!
 		return super().form_valid(form)
 class RecoverDirUpdatePL(UpdateView):
 	model = PersLetter
 	success_url = reverse_lazy('recoverdir')
@ -504,7 +489,7 @@ class RecoverDirUpdatePL(UpdateView):
 	template_name = "recoverdir/rd_pers_update.html"
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -518,7 +503,6 @@ class RecoverDirUpdatePL(UpdateView):
 		# TASK: Hier Aktualisierung hinzufügen!
 		return super().form_valid(form)
 # Notfallhilfe ELEMENTE
 # ABNSCHNITT 1
@ -529,7 +513,7 @@ class RDAoneAddDoc(CreateView):
 	template_name = "recoverdir/rd_elements_forms/rd_area_1_adddoc.html"
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -552,7 +536,6 @@ class RDAoneAddDoc(CreateView):
 		context.update({'active_link' : 'recoverdir'})
 		return context
 # Einzeldokumentenanzeige
 class RDAoneViewDoc(DetailView):
 	model = Documents
@ -561,7 +544,7 @@ class RDAoneViewDoc(DetailView):
 	context_object_name = 'document'
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -573,7 +556,7 @@ class RDAoneDelDoc(DeleteView):
 	context_object_name = 'document'
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -590,7 +573,7 @@ class RDAoneUpdateDoc(UpdateView):
 	template_name = "recoverdir/rd_elements_forms/rd_area_1_adddoc.html"
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -621,7 +604,7 @@ class RDAoneAddHL(CreateView):
 	template_name = "recoverdir/rd_elements_forms/rd_area_1_addhl.html"
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -642,7 +625,7 @@ class RDAoneUpdateHL(UpdateView):
 	template_name = "recoverdir/rd_elements_forms/rd_area_1_addhl.html"
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -660,7 +643,7 @@ class RDAoneAddFC(CreateView):
 	template_name = "recoverdir/rd_elements_forms/rd_area_1_addfc.html"
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -681,7 +664,7 @@ class RDAoneUpdateContact(UpdateView):
 	template_name = "recoverdir/rd_elements_forms/rd_area_1_addfc.html"
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -691,7 +674,6 @@ class RDAoneUpdateContact(UpdateView):
 		context.update({'active_link' : 'recoverdir'})
 		return context
 class RDAoneViewContact(DetailView):
 	model = RDContact
 	success_url = reverse_lazy('recoverdir')
@ -699,7 +681,7 @@ class RDAoneViewContact(DetailView):
 	context_object_name = 'contact'
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -711,7 +693,7 @@ class RDAoneDelContact(DeleteView):
 	context_object_name = 'contact'
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -721,7 +703,6 @@ class RDAoneDelContact(DeleteView):
 		context.update({'active_link' : 'recoverdir'})
 		return context
 # VERTRAUENSPERSON
 class RDAoneViewTrust(DetailView):
 	model = RDTrustPerson
@ -730,7 +711,7 @@ class RDAoneViewTrust(DetailView):
 	context_object_name = 'contact'
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -742,7 +723,7 @@ class RDAoneDelTrust(DeleteView):
 	context_object_name = 'contact'
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -759,7 +740,7 @@ class RDAoneAddTrust(CreateView):
 	template_name = "recoverdir/rd_elements_forms/rd_area_1_addtrust.html"
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -780,7 +761,7 @@ class RDAoneUpdateTrust(UpdateView):
 	template_name = "recoverdir/rd_elements_forms/rd_area_1_addtrust.html"
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -799,7 +780,7 @@ class RDAtwoAddHLFV(CreateView):
 	template_name = "recoverdir/rd_elements_forms/rd_area_2_addhlvf.html"
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -820,7 +801,7 @@ class RDAtwoUpdateFV(UpdateView):
 	template_name = "recoverdir/rd_elements_forms/rd_area_2_addhlvf.html"
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -830,7 +811,6 @@ class RDAtwoUpdateFV(UpdateView):
 		context.update({'active_link' : 'recoverdir'})
 		return context
 # Banken usw.
 class RDAtwoViewdeposit(DetailView):
 	model = DepositVollmacht
@ -839,7 +819,7 @@ class RDAtwoViewdeposit(DetailView):
 	context_object_name = 'deposit'
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -851,7 +831,7 @@ class RDAtwoDeldeposit(DeleteView):
 	context_object_name = 'deposit'
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -868,7 +848,7 @@ class RDAtwoAdddeposit(CreateView):
 	template_name = "recoverdir/rd_elements_forms/rd_area_2_adddeposit.html"
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -897,7 +877,7 @@ class RDAtwoUpdatedeposit(UpdateView):
 	template_name = "recoverdir/rd_elements_forms/rd_area_2_adddeposit.html"
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -919,7 +899,7 @@ class RDAtwoViewergo(DetailView):
 	context_object_name = 'ergo'
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -931,7 +911,7 @@ class RDAtwoDelergo(DeleteView):
 	context_object_name = 'ergo'
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -948,7 +928,7 @@ class RDAtwoAddergo(CreateView):
 	template_name = "recoverdir/rd_elements_forms/rd_area_2_addergo.html"
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -969,7 +949,7 @@ class RDAtwoUpdateergo(UpdateView):
 	template_name = "recoverdir/rd_elements_forms/rd_area_2_addergo.html"
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -991,7 +971,7 @@ class RDAtwoViewonlinebank(DetailView):
 	context_object_name = 'onlinebank'
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -1003,7 +983,7 @@ class RDAtwoDelonlinebank(DeleteView):
 	context_object_name = 'onlinebank'
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -1020,7 +1000,7 @@ class RDAtwoAddonlinebank(CreateView):
 	template_name = "recoverdir/rd_elements_forms/rd_area_2_addonlinebank.html"
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -1050,7 +1030,7 @@ class RDAtwoUpdateonlinebank(UpdateView):
 	template_name = "recoverdir/rd_elements_forms/rd_area_2_addonlinebank.html"
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -1079,7 +1059,7 @@ class RDAthreeViewstreaming(DetailView):
 	context_object_name = 'streaming'
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -1091,7 +1071,7 @@ class RDAthreeDelstreaming(DeleteView):
 	context_object_name = 'streaming'
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -1108,7 +1088,7 @@ class RDAthreeAddstreaming(CreateView):
 	template_name = "recoverdir/rd_elements_forms/rd_area_3_addstreamingabo.html"
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -1137,7 +1117,7 @@ class RDAthreeUpdatestreaming(UpdateView):
 	template_name = "recoverdir/rd_elements_forms/rd_area_3_addstreamingabo.html"
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -1166,7 +1146,7 @@ class RDAfourViewdigitalaccount(DetailView):
 	context_object_name = 'account'
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -1179,7 +1159,7 @@ class RDAfourDeldigitalaccount(DeleteView):
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -1196,7 +1176,7 @@ class RDAfourAdddigitalaccount(CreateView):
 	template_name = "recoverdir/rd_elements_forms/rd_area_4_adddigitalaccount.html"
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -1226,7 +1206,7 @@ class RDAfourUpdatedigitalaccount(UpdateView):
 	template_name = "recoverdir/rd_elements_forms/rd_area_4_adddigitalaccount.html"
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -1255,7 +1235,7 @@ class RDAfiveViewpersonal(DetailView):
 	context_object_name = 'personal'
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -1267,7 +1247,7 @@ class RDAfiveDelpersonal(DeleteView):
 	context_object_name = 'personal'
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -1284,7 +1264,7 @@ class RDAfiveAddpersonal(CreateView):
 	template_name = "recoverdir/rd_elements_forms/rd_area_5_addpersonal.html"
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -1306,7 +1286,7 @@ class RDAfiveUpdatepersonal(UpdateView):
 	template_name = "recoverdir/rd_elements_forms/rd_area_5_addpersonal.html"
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -1320,7 +1300,6 @@ class RDAfiveUpdatepersonal(UpdateView):
 		context.update({'active_link' : 'recoverdir'})
 		return context
 # RDElse
 class RDAnineViewelse(DetailView):
 	model = RDElse
@ -1329,7 +1308,7 @@ class RDAnineViewelse(DetailView):
 	context_object_name = 'else'
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -1341,7 +1320,7 @@ class RDAnineDelelse(DeleteView):
 	context_object_name = 'ele'
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -1358,7 +1337,7 @@ class RDAnineAddelse(CreateView):
 	template_name = "recoverdir/rd_elements_forms/rd_area_9_addelse.html"
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -1380,7 +1359,7 @@ class RDAnineUpdateelse(UpdateView):
 	template_name = "recoverdir/rd_elements_forms/rd_area_9_addelse.html"
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -1402,7 +1381,7 @@ class RDAsevenViewcontract(DetailView):
 	context_object_name = 'contract'
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -1414,7 +1393,7 @@ class RDAsevenDelcontract(DeleteView):
 	context_object_name = 'ele'
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -1431,7 +1410,7 @@ class RDAsevenAddcontract(CreateView):
 	template_name = "recoverdir/rd_elements_forms/rd_area_7_addcontract.html"
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -1452,7 +1431,7 @@ class RDAsevenUpdatecontract(UpdateView):
 	template_name = "recoverdir/rd_elements_forms/rd_area_7_addcontract.html"
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -1468,7 +1447,6 @@ class RDAsevenUpdatecontract(UpdateView):
 ################################################## HISTORY ELEMENT VIEW ##########################################
 # Persönliches Schreiben
 class PLSingleHistory(DetailView):
 	model = PersLetter
@ -1476,7 +1454,7 @@ class PLSingleHistory(DetailView):
 	context_object_name = 'persletter'
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -1503,7 +1481,7 @@ class HLSingleHistory(DetailView):
 	template_name = 'recoverdir/rd_elements_forms/rd_area_1_hl_single.html'
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -1532,7 +1510,7 @@ class HLVFSingleHistory(DetailView):
 	template_name = 'recoverdir/rd_elements_forms/rd_area_2_hl_single.html'
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -1555,14 +1533,13 @@ class HLVFSingleHistory(DetailView):
 		})
 		return context
 # CONTACT
 class ContactSingleHistory(DetailView):
 	model = RDContact
 	template_name = 'recoverdir/rd_elements_forms/rd_area_1_contact_single.html'
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -1591,7 +1568,7 @@ class TrustSingleHistory(DetailView):
 	template_name = 'recoverdir/rd_elements_forms/rd_area_1_trust_single.html'
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -1620,7 +1597,7 @@ class DepositSingleHistory(DetailView):
 	template_name = 'recoverdir/rd_elements_forms/rd_area_2_deposit_single.html'
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -1649,7 +1626,7 @@ class DocumentSingleHistory(DetailView):
 	template_name = 'recoverdir/rd_doc_single.html'
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -1678,7 +1655,7 @@ class ErgoSingleHistory(DetailView):
 	template_name = 'recoverdir/rd_elements_forms/rd_area_2_ergo_single.html'
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -1707,7 +1684,7 @@ class OnlinebankSingleHistory(DetailView):
 	template_name = 'recoverdir/rd_elements_forms/rd_area_2_onlinebank_single.html'
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -1736,7 +1713,7 @@ class StreamingSingleHistory(DetailView):
 	template_name = 'recoverdir/rd_elements_forms/rd_area_3_streamingabo_single.html'
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -1765,7 +1742,7 @@ class DigitalAccountSingleHistory(DetailView):
 	template_name = 'recoverdir/rd_elements_forms/rd_area_4_digitalaccount_single.html'
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -1794,7 +1771,7 @@ class PersonalSingleHistory(DetailView):
 	template_name = 'recoverdir/rd_elements_forms/rd_area_5_personal_single.html'
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -1823,7 +1800,7 @@ class ContractSingleHistory(DetailView):
 	template_name = 'recoverdir/rd_elements_forms/rd_area_7_contract_single.html'
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
@ -1852,7 +1829,7 @@ class ElseSingleHistory(DetailView):
 	template_name = 'recoverdir/rd_elements_forms/rd_area_9_else_single.html'
 	def dispatch(self, *args, **kwargs):
-		if(checkForLogin(self)):
+		if(checkForLogin(self) and self.instance.agency == self.request.user.profile.agency):
 			return super().dispatch(*args, **kwargs)
 		else:
 			return redirect('recoverdir-login')
--- a/timemanagement/views.py
+++ b/timemanagement/views.py
@ -55,76 +55,80 @@ def get_datetime_range(year, month):
@login_required
 def AbsenceUpdate(request, pk):
 	if request.method == "GET":
 		absence = Absence.objects.get(pk=pk)
-		timeinfo_thisyear = list(UserYearAbsenceInfo.objects.filter(year=absence.start.year, user=absence.user))[0]
+		if(absence.agency == request.user.profile.agency and request.user.has_perm("users.absencemanager")):
-		try:
+			timeinfo_thisyear = list(UserYearAbsenceInfo.objects.filter(year=absence.start.year, user=absence.user))[0]
-			timeinfo_nextyear = list(UserYearAbsenceInfo.objects.filter(year=absence.start.year+1, user=absence.user))[0]
+			try:
-		except:
+				timeinfo_nextyear = list(UserYearAbsenceInfo.objects.filter(year=absence.start.year+1, user=absence.user))[0]
-			timeinfo_nextyear = False
+			except:
 				timeinfo_nextyear = False
-		context = {
+			context = {
-			"active_link" : "abscence",
+				"active_link" : "abscence",
-			"form" : UpdateAbsence(instance=request.user),
+				"form" : UpdateAbsence(instance=request.user),
-			"absence" : absence,
+				"absence" : absence,
-			"timeinfo_thisyear" : timeinfo_thisyear,
+				"timeinfo_thisyear" : timeinfo_thisyear,
-			"timeinfo_nextyear" : timeinfo_nextyear,
+				"timeinfo_nextyear" : timeinfo_nextyear,
-			"start" : absence.start.strftime("%d.%m.%Y"),
+				"start" : absence.start.strftime("%d.%m.%Y"),
-			"end" : absence.end.strftime("%d.%m.%Y"),
+				"end" : absence.end.strftime("%d.%m.%Y"),
-		}
+			}
-		return render(request, 'timemanagement/tm_ab_update.html', context)
+			return render(request, 'timemanagement/tm_ab_update.html', context)
 		else:
 			return redirect("login")
 	elif request.method == "POST":
 		absence = Absence.objects.get(pk=pk)
-		formtocheck = UpdateAbsence(request.POST, instance=request.user)
+		if(absence.agency == request.user.profile.agency):
-		if(formtocheck.is_valid()):
+			formtocheck = UpdateAbsence(request.POST, instance=request.user)
 			if(formtocheck.is_valid()):
 				abinfo = list(UserYearAbsenceInfo.objects.filter(user=absence.user, year=absence.start.year))[0]
 				abinfo_lastyear = ""
 				abinfo_nextyear = ""
-			abinfo = list(UserYearAbsenceInfo.objects.filter(user=absence.user, year=absence.start.year))[0]
+				is_lastyear = False
 			abinfo_lastyear = ""
 			abinfo_nextyear = ""
-			is_lastyear = False
+				abinfo_lastyear = list(UserYearAbsenceInfo.objects.filter(user=absence.user, year=absence.start.year-1))
 				if(len(abinfo_lastyear) > 0):
 					is_lastyear = True
 					abinfo_lastyear = abinfo_lastyear[0]
-			abinfo_lastyear = list(UserYearAbsenceInfo.objects.filter(user=absence.user, year=absence.start.year-1))
+				is_nextyear = False
-			if(len(abinfo_lastyear) > 0):
+				abinfo_nextyear = list(UserYearAbsenceInfo.objects.filter(user=absence.user, year=absence.start.year+1))
-				is_lastyear = True
+				if(len(abinfo_nextyear) > 0):
-				abinfo_lastyear = abinfo_lastyear[0]
+					is_nextyear = True
 					abinfo_nextyear = abinfo_nextyear[0]
-			is_nextyear = False
+				abinfo.days_inuse -= formtocheck.cleaned_data["holidays_normal"]
-			abinfo_nextyear = list(UserYearAbsenceInfo.objects.filter(user=absence.user, year=absence.start.year+1))
+				abinfo.restdays -= formtocheck.cleaned_data["holidays_rest"]
-			if(len(abinfo_nextyear) > 0):
+				abinfo.save()
 				is_nextyear = True
 				abinfo_nextyear = abinfo_nextyear[0]
-			abinfo.days_inuse -= formtocheck.cleaned_data["holidays_normal"]
+				abinfo_nextyear.days_inuse -= formtocheck.cleaned_data["holidays_normal_next"]
-			abinfo.restdays -= formtocheck.cleaned_data["holidays_rest"]
+				abinfo_nextyear.restdays -= formtocheck.cleaned_data["holidays_rest_next"]
-			abinfo.save()
+				abinfo_nextyear.save()
-			abinfo_nextyear.days_inuse -= formtocheck.cleaned_data["holidays_normal_next"]
+				absence.start = formtocheck.cleaned_data["start"]
-			abinfo_nextyear.restdays -= formtocheck.cleaned_data["holidays_rest_next"]
+				absence.end = formtocheck.cleaned_data["end"]
-			abinfo_nextyear.save()
+				absence.startday_info = str(formtocheck.cleaned_data["startday_info"])
 				absence.endday_info = str(formtocheck.cleaned_data["endday_info"])
 				absence.reason = formtocheck.cleaned_data["reason"]
 				#absence.info = formtocheck.cleaned_data["info"]
 				absence.confirm_info = formtocheck.cleaned_data["confirm_info"]
-			absence.start = formtocheck.cleaned_data["start"]
+				rep = None
-			absence.end = formtocheck.cleaned_data["end"]
+				if(formtocheck.cleaned_data["representator"] != None):
-			absence.startday_info = str(formtocheck.cleaned_data["startday_info"])
+					rep = User.objects.get(pk=formtocheck.cleaned_data["representator"].pk)
 			absence.endday_info = str(formtocheck.cleaned_data["endday_info"])
 			absence.reason = formtocheck.cleaned_data["reason"]
 			#absence.info = formtocheck.cleaned_data["info"]
 			absence.confirm_info = formtocheck.cleaned_data["confirm_info"]
-			rep = None
+				absence.representator = rep
-			if(formtocheck.cleaned_data["representator"] != None):
+				absence.holidays_normal = 0.0
-				rep = User.objects.get(pk=formtocheck.cleaned_data["representator"].pk)
+				absence.holidays_rest = 0.0
-			
+				absence.holidays_normal_next = 0.0
-			absence.representator = rep
+				absence.holidays_rest_next = 0.0
-			absence.holidays_normal = 0.0
+				absence.save()
-			absence.holidays_rest = 0.0
+				messages.success(request, f'Abwesenheit aktualisiert!')
-			absence.holidays_normal_next = 0.0
+			else:
-			absence.holidays_rest_next = 0.0
+				messages.success(request, f'Fehler bei Abwesenheitsaktualisierung!')
 			absence.save()
 			messages.success(request, f'Abwesenheit aktualisiert!')
 		else:
-			messages.success(request, f'Fehler bei Abwesenheitsaktualisierung!')
+			return redirect("login")	
 		context = {
 			"active_link" : "abscence",
 		}
@ -132,7 +136,6 @@ def AbsenceUpdate(request, pk):
@login_required
 def AbsenceManagmenet(request, activemonth=False, activeyear=False):
 	# NEW ABSENCE
 	if(request.method == "POST"):
 		'''
@ -248,9 +251,7 @@ def AbsenceManagmenet(request, activemonth=False, activeyear=False):
 		except:
 			pass
 		# ABSENCE AUFLISTUNG NACH GRUND
 		allreasons = AbsenceReason.objects.filter(agency=request.user.profile.agency).order_by("name")
 		final_reasons = []
 		for ar in allreasons:
@ -414,41 +415,43 @@ def TimeManagement(request, activemonth=False, activeyear=False):
 def TimeUpdate(request, pk, team=0):
 	workday = Workday.objects.get(pk=pk)
 	user = workday.user
 	if(request.user.profile.agency == workday.agency and request.user.has_perm('users.usermanager')):
 		if(request.method == "POST"):
 			if(team == 0):
 				form = UpdateWorkdayForm(request.POST, instance=request.user)
 			else:
 				form = UpdateWorkdayForm(request.POST, instance=user)	
-	if(request.method == "POST"):
+			start = datetime.datetime(int(workday.start.year), int(workday.start.month), int(workday.start.day), int(((str(form["start"].value()).split(":"))[0])), int(((str(form["start"].value()).split(":"))[1])))
-		if(team == 0):
+
-			form = UpdateWorkdayForm(request.POST, instance=request.user)
+			end = datetime.datetime(int(workday.end.year), int(workday.end.month), int(workday.end.day), int(((str(form["end"].value()).split(":"))[0])), int(((str(form["end"].value()).split(":"))[1])))
 			workday.start = start
 			workday.end = end
 			workday.freefield = form["freefield"].value()
 			workday.target = form["target"].value()
 			# Speichern, das jemand den Arbeitstag bearbeitet hat
 			workday.lastManualChangeUser = request.user
 			workday.lastManualChangeDate = datetime.datetime.now()
 			workday.save()
 			messages.success(request, f'Arbeitstag aktualisiert')
 			if(team == 1):
 				return redirect('tm-team-single', user.pk, workday.start.month, workday.start.year)
 			else:
 				return redirect('tm-management')
 		else:
-			form = UpdateWorkdayForm(request.POST, instance=user)	
+			context = {
-
+				"active_link" : "timemanagement",
-		start = datetime.datetime(int(workday.start.year), int(workday.start.month), int(workday.start.day), int(((str(form["start"].value()).split(":"))[0])), int(((str(form["start"].value()).split(":"))[1])))
+				"workday" : Workday.objects.get(pk=pk),
-
+				"form" : UpdateWorkdayForm(instance= Workday.objects.get(pk=pk)),
-		end = datetime.datetime(int(workday.end.year), int(workday.end.month), int(workday.end.day), int(((str(form["end"].value()).split(":"))[0])), int(((str(form["end"].value()).split(":"))[1])))
+				"team" : team,
-
+				"user" : workday.user
-		workday.start = start
+			}
-		workday.end = end
+			return render(request, 'timemanagement/timemanagement_update.html', context)
 		workday.freefield = form["freefield"].value()
 		workday.target = form["target"].value()
 		# Speichern, das jemand den Arbeitstag bearbeitet hat
 		workday.lastManualChangeUser = request.user
 		workday.lastManualChangeDate = datetime.datetime.now()
 		workday.save()
 		messages.success(request, f'Arbeitstag aktualisiert')
 		if(team == 1):
 			return redirect('tm-team-single', user.pk, workday.start.month, workday.start.year)
 		else:
 			return redirect('tm-management')
 	else:
-		context = {
+		return redirect("login")
 			"active_link" : "timemanagement",
 			"workday" : Workday.objects.get(pk=pk),
 			"form" : UpdateWorkdayForm(instance= Workday.objects.get(pk=pk)),
 			"team" : team,
 			"user" : workday.user
 		}
 		return render(request, 'timemanagement/timemanagement_update.html', context)
@login_required
 def TimeAdd(request, team=0, pk=0):
@ -529,43 +532,46 @@ def TimeAdd(request, team=0, pk=0):
 def AddBreak(request, pk, team=0):
 	workday = Workday.objects.get(pk=pk)
 	user = workday.user
-	if(request.method == "POST"):
+	if(workday.agency == user.profile.agency):
-		if(team == 0):
+		if(request.method == "POST"):
-			form = AddBreakForm(request.POST, instance=request.user)
+			if(team == 0):
 				form = AddBreakForm(request.POST, instance=request.user)
 			else:
 				form = AddBreakForm(request.POST, instance=user)
 			start = datetime.datetime(int(workday.start.year), int(workday.start.month), int(workday.start.day), int(((str(form["start"].value()).split(":"))[0])), int(((str(form["start"].value()).split(":"))[1])))
 			end = datetime.datetime(int(workday.end.year), int(workday.end.month), int(workday.end.day), int(((str(form["end"].value()).split(":"))[0])), int(((str(form["end"].value()).split(":"))[1])))
 			if(team == 0):
 				newbreak = Breaks.objects.create(workday=workday, user=request.user, agency=request.user.profile.agency, start=start, end=end)
 			else:
 				newbreak = Breaks.objects.create(workday=workday, user=user, agency=user.profile.agency, start=start, end=end)
 			workday.breaks.add(newbreak)
 			workday.save()
 			messages.success(request, f'Pause hinzugefügt')
 			if(team == 0):
 				return redirect('tm-update', pk=pk)
 			else:
 				return redirect('tm-team-single', user.pk, workday.start.month, workday.start.year)
 		else:
-			form = AddBreakForm(request.POST, instance=user)
+			if(team == 0):
-
+				context = {
-		start = datetime.datetime(int(workday.start.year), int(workday.start.month), int(workday.start.day), int(((str(form["start"].value()).split(":"))[0])), int(((str(form["start"].value()).split(":"))[1])))
+					"active_link" : "timemanagement",
-
+					"workday" : Workday.objects.get(pk=pk),
-		end = datetime.datetime(int(workday.end.year), int(workday.end.month), int(workday.end.day), int(((str(form["end"].value()).split(":"))[0])), int(((str(form["end"].value()).split(":"))[1])))
+					"form" : AddBreakForm(instance=request.user)
-
+				}
-		if(team == 0):
+			else:
-			newbreak = Breaks.objects.create(workday=workday, user=request.user, agency=request.user.profile.agency, start=start, end=end)
+				context = {
-		else:
+					"active_link" : "timemanagement",
-			newbreak = Breaks.objects.create(workday=workday, user=user, agency=user.profile.agency, start=start, end=end)
+					"workday" : Workday.objects.get(pk=pk),
-
+					"form" : AddBreakForm(instance=user)
-		workday.breaks.add(newbreak)
+				}
-		workday.save()
+			return render(request, 'timemanagement/timemanagement_break.html', context)
 		messages.success(request, f'Pause hinzugefügt')
 		if(team == 0):
 			return redirect('tm-update', pk=pk)
 		else:
 			return redirect('tm-team-single', user.pk, workday.start.month, workday.start.year)
 	else:
-		if(team == 0):
+		return redirect('login')
 			context = {
 				"active_link" : "timemanagement",
 				"workday" : Workday.objects.get(pk=pk),
 				"form" : AddBreakForm(instance=request.user)
 			}
 		else:
 			context = {
 				"active_link" : "timemanagement",
 				"workday" : Workday.objects.get(pk=pk),
 				"form" : AddBreakForm(instance=user)
 			}
 		return render(request, 'timemanagement/timemanagement_break.html', context)
@login_required
 def TimeAjax(request):
--- a/users/.DS_Store
+++ b/users/.DS_Store
--- a/users/static/.DS_Store
+++ b/users/static/.DS_Store
--- a/users/static/users/.DS_Store
+++ b/users/static/users/.DS_Store