diff options
| author | Étienne Loks <etienne.loks@iggdrasil.net> | 2018-10-10 18:46:31 +0200 |
|---|---|---|
| committer | Étienne Loks <etienne.loks@iggdrasil.net> | 2018-10-24 12:06:09 +0200 |
| commit | 277ebc5db6548c63e2fdeb29863b7f90044013da (patch) | |
| tree | 6287ef95e9e496aff0f3d837f3ac5a0834a53bcc | |
| parent | 4eb42ac52879dbe377dace0f0bf16df33c13aaf9 (diff) | |
| download | Ishtar-277ebc5db6548c63e2fdeb29863b7f90044013da.tar.bz2 Ishtar-277ebc5db6548c63e2fdeb29863b7f90044013da.zip | |
Fix QA basket form validation. Basket: fix rights for basket management.
| -rw-r--r-- | archaeological_finds/forms.py | 9 | ||||
| -rw-r--r-- | archaeological_finds/views.py | 4 |
2 files changed, 8 insertions, 5 deletions
diff --git a/archaeological_finds/forms.py b/archaeological_finds/forms.py index b77560ac9..cf08e1a19 100644 --- a/archaeological_finds/forms.py +++ b/archaeological_finds/forms.py @@ -448,7 +448,7 @@ class QAFindBasketForm(IshtarForm): choices=(('create', _(u"Create")), ('update', _(u"Update"))), initial='create') label = forms.CharField(label="", max_length=None, required=False) - basket = forms.ChoiceField(label=_(u"Basket"), required=True, choices=[]) + basket = forms.ChoiceField(label=_(u"Basket"), required=False, choices=[]) def __init__(self, *args, **kwargs): self.user = None @@ -468,6 +468,9 @@ class QAFindBasketForm(IshtarForm): def clean(self): if self.cleaned_data['create_or_update'] == 'update': + if not self.cleaned_data['basket']: + raise forms.ValidationError( + _(u"On update, you have to select a basket.")) return self.cleaned_data label = self.cleaned_data['label'].strip() if not label: @@ -986,8 +989,8 @@ class FindBasketAddItemForm(forms.Form): raise PermissionDenied # check rights if not user.user_ptr.is_superuser and \ - not user.has_right('change_find') and \ - not (user.has_right('change_own_find') + not user.has_right('view_find') and \ + not (user.has_right('view_own_find') and item.is_own(user)): raise PermissionDenied basket.items.add(item) diff --git a/archaeological_finds/views.py b/archaeological_finds/views.py index e930c0830..7855b5099 100644 --- a/archaeological_finds/views.py +++ b/archaeological_finds/views.py @@ -336,8 +336,8 @@ class FindBasketDeleteItemView(IshtarMixin, LoginRequiredMixin, TemplateView): except models.FindBasket.DoesNotExist: raise PermissionDenied if not user.is_superuser and \ - not ishtaruser.has_right('change_find') and \ - not (ishtaruser.has_right('change_own_find') + not ishtaruser.has_right('view_find') and \ + not (ishtaruser.has_right('view_own_find') and find.is_own(user)): raise PermissionDenied basket.items.remove(find) |