🐛 new permissions: fix permission_check for action (refs #6126)

author: Étienne Loks <etienne.loks@iggdrasil.net> 2025-01-09 12:40:57 +0100
committer: Étienne Loks <etienne.loks@iggdrasil.net> 2025-02-19 14:45:56 +0100
commit: 13f9202121e5470827174079da7fc699a8227295 (patch)
tree: 6805622d0a6369412cee1da958768bf94a524f55
parent: edec846118a178ed1a6a5803f8bcbf26742f4b82 (diff)
download: Ishtar-13f9202121e5470827174079da7fc699a8227295.tar.bz2
Ishtar-13f9202121e5470827174079da7fc699a8227295.zip
9 files changed, 132 insertions, 187 deletions
diff --git a/archaeological_context_records/views.py b/archaeological_context_records/views.py
index 691564341..49b94553e 100644
--- a/archaeological_context_records/views.py
+++ b/archaeological_context_records/views.py
@@ -41,7 +41,7 @@ from ishtar_common.views import (
     wizard_is_available,
     QAItemEditForm,
 )
-from ishtar_common.views_item import get_item, show_item, revert_item
+from ishtar_common.views_item import get_item, get_autocomplete_query, show_item, revert_item
 from archaeological_context_records import wizards
 
 show_contextrecord = show_item(
@@ -51,19 +51,12 @@ revert_contextrecord = revert_item(models.ContextRecord)
 
 
 def autocomplete_contextrecord(request):
-    ishtaruser = getattr(request.user, "ishtaruser", None)
-    if not ishtaruser:
-        return HttpResponse(content_type="text/plain")
-    if not ishtaruser.has_permission(
-        "archaeological_context_records.view_contextrecord"
-    ) and not ishtaruser.has_permission(
-        "archaeological_context_records.view_own_contextrecord",
-    ):
-        return HttpResponse(content_type="text/plain")
-    if not request.GET.get("term"):
+    query = get_autocomplete_query(
+        request, "archaeological_context_records", "contextrecord"
+    )
+    if query is None:
         return HttpResponse(content_type="text/plain")
     q = request.GET.get("term")
-    query = Q()
     if request.GET.get("operation__pk"):
         query = Q(operation__pk=request.GET.get("operation__pk"))
     for q in q.split(" "):
diff --git a/archaeological_files/views.py b/archaeological_files/views.py
index 0d3f978b5..5a8ce1975 100644
--- a/archaeological_files/views.py
+++ b/archaeological_files/views.py
@@ -49,6 +49,7 @@ from archaeological_files.wizards import (
     FileEditAdministrativeActWizard,
 )
 from ishtar_common.views import IshtarMixin, LoginRequiredMixin
+from ishtar_common.views_item import get_autocomplete_query
 from archaeological_operations.wizards import OperationWizard
 from archaeological_operations.views import operation_creation_wizard, get_parcel_modify
 
@@ -62,18 +63,10 @@ RE_YEAR_INDEX = re.compile(r"([1-2][0-9]{3})-([0-9]+)")  # eg.: 2014-123
 
 
 def autocomplete_file(request):
-    ishtaruser = getattr(request.user, "ishtaruser", None)
-    if not ishtaruser:
-        return HttpResponse(content_type="text/plain")
-    if (
-        not ishtaruser.has_permission("archaeological_files.view_file")
-        and not ishtaruser.has_permission("archaeological_files.view_own_file")
-    ):
-        return HttpResponse(content_type="text/plain")
-    if not request.GET.get("term"):
+    query = get_autocomplete_query(request, "archaeological_files", "file")
+    if query is None:
         return HttpResponse(content_type="text/plain")
     q = request.GET.get("term")
-    query = Q()
     for q in q.split(" "):
         extra = (
             Q(internal_reference__icontains=q)
@@ -538,14 +531,14 @@ class PreventiveEditView(IshtarMixin, LoginRequiredMixin, MixFormFormsetUpdateVi
     def get_form_kwargs(self):
         kwargs = super(PreventiveEditView, self).get_form_kwargs()
         try:
-            file = models.File.objects.get(pk=self.kwargs.get("pk"))
+            file_obj = models.File.objects.get(pk=self.kwargs.get("pk"))
         except models.Document.DoesNotExist:
             raise Http404()
-        if not check_permission(self.request, "file/edit-preventive/", file.pk):
+        if not check_permission(self.request, "archaeological_files.change_file", file_obj):
             raise Http404()
         initial = {}
         for k in list(self.form_class.base_fields.keys()):
-            value = getattr(file, k)
+            value = getattr(file_obj, k)
             if hasattr(value, "all"):
                 value = ",".join([str(v.pk) for v in value.all()])
             if hasattr(value, "pk"):
@@ -553,7 +546,7 @@ class PreventiveEditView(IshtarMixin, LoginRequiredMixin, MixFormFormsetUpdateVi
             initial[k] = value
         kwargs["initial"] = initial
         kwargs["user"] = self.request.user
-        self.file = file
+        self.file = file_obj
         return kwargs
 
     def get_context_data(self, **kwargs):
diff --git a/archaeological_finds/views.py b/archaeological_finds/views.py
index 52085f2ef..aa51d129d 100644
--- a/archaeological_finds/views.py
+++ b/archaeological_finds/views.py
@@ -59,6 +59,7 @@ from ishtar_common.views_item import (
     revert_item,
     get_autocomplete_item,
     get_autocomplete_queries,
+    get_autocomplete_query
 )
 
 from archaeological_operations.wizards import AdministrativeActDeletionWizard
@@ -168,18 +169,12 @@ get_administrativeacttreatmentfile = get_item(
 
 
 def autocomplete_treatmentfile(request):
-    ishtaruser = getattr(request.user, "ishtaruser", None)
-    if not ishtaruser:
-        return HttpResponse(content_type="text/plain")
-    if (
-        not ishtaruser.has_permission("archaeological_finds.view_treatment")
-        and not ishtaruser.has_permission("archaeological_finds.view_own_treatment")
-    ):
+    query = get_autocomplete_query(request, "archaeological_finds", "treatmentfile")
+    if query is None:
         return HttpResponse(content_type="text/plain")
     if not request.GET.get("term"):
         return HttpResponse(content_type="text/plain")
     q = request.GET.get("term")
-    query = Q()
     for q1 in q.split(" "):
         for q in q1.split(" "):
             extra = (
diff --git a/archaeological_operations/views.py b/archaeological_operations/views.py
index a93ba80e3..db5721be7 100644
--- a/archaeological_operations/views.py
+++ b/archaeological_operations/views.py
@@ -52,23 +52,16 @@ from ishtar_common.views import (
     IshtarMixin,
     LoginRequiredMixin,
 )
-from ishtar_common.views_item import get_item, show_item, revert_item, new_qa_item
+from ishtar_common.views_item import get_item, get_autocomplete_query, show_item, \
+    revert_item, new_qa_item
 from ishtar_common.wizards import SearchWizard
 
 
 def autocomplete_patriarche(request):
-    ishtaruser = getattr(request.user, "ishtaruser", None)
-    if not ishtaruser:
-        return HttpResponse(content_type="text/plain")
-    if (
-        not ishtaruser.has_permission("archaeological_operations.view_operation")
-        and not ishtaruser.has_permission("archaeological_operations.view_own_operation")
-    ):
-        return HttpResponse(content_type="text/plain")
-    if not request.GET.get("term"):
+    query = get_autocomplete_query(request, "archaeological_operations", "operation")
+    if query is None:
         return HttpResponse(content_type="text/plain")
     q = request.GET.get("term")
-    query = Q()
     for q in q.split(" "):
         query &= Q(code_patriarche__startswith=q)
     limit = 15
@@ -85,19 +78,12 @@ def autocomplete_patriarche(request):
 
 
 def autocomplete_archaeologicalsite(request):
-    ishtaruser = getattr(request.user, "ishtaruser", None)
-    if not ishtaruser:
-        return HttpResponse(content_type="text/plain")
-    if not ishtaruser.has_permission(
-        "archaeological_operations.view_archaeologicalsite"
-    ) and not ishtaruser.has_permission(
-        "archaeological_operations.view_own_archaeologicalsite",
-    ):
-        return HttpResponse(content_type="text/plain")
-    if not request.GET.get("term"):
+    query = get_autocomplete_query(
+        request, "archaeological_operations", "archaeologicalsite"
+    )
+    if query is None:
         return HttpResponse(content_type="text/plain")
     q = request.GET.get("term")
-    query = Q()
     for q in q.split(" "):
         qt = Q(reference__icontains=q) | Q(name__icontains=q)
         query = query & qt
@@ -120,21 +106,10 @@ new_archaeologicalsite = new_qa_item(
 
 
 def autocomplete_operation(request):
-    ishtaruser = getattr(request.user, "ishtaruser", None)
-    if not ishtaruser:
-        return HttpResponse(content_type="text/plain")
-    # person_types = request.user.ishtaruser.person.person_type
-    if (
-        not ishtaruser.has_permission("archaeological_operations.view_operation")
-        and not ishtaruser.has_permission(
-            "archaeological_operations.view_own_operation"
-        )
-    ):
-        return HttpResponse(content_type="text/plain")
-    if not request.GET.get("term"):
+    query = get_autocomplete_query(request, "archaeological_operations", "operation")
+    if query is None:
         return HttpResponse(content_type="text/plain")
     q = request.GET.get("term")
-    query = Q()
     for q in q.split(" "):
         extra = Q(towns__name__icontains=q) | Q(common_name__icontains=q)
         try:
@@ -1041,19 +1016,12 @@ def administrativeactfile_document(
 
 
 def autocomplete_administrativeact(request):
-    ishtaruser = getattr(request.user, "ishtaruser", None)
-    if not ishtaruser:
-        return HttpResponse(content_type="text/plain")
-    if not ishtaruser.has_permission(
-        "archaeological_operations.view_administrativeact"
-    ) and not ishtaruser.has_permission(
-        "archaeological_operations.view_own_administrativeact"
-    ):
-        return HttpResponse(content_type="text/plain")
-    if not request.GET.get("term"):
+    query = get_autocomplete_query(
+        request, "archaeological_operations", "administrativeact"
+    )
+    if query is None:
         return HttpResponse(content_type="text/plain")
     q = request.GET.get("term")
-    query = Q()
     for q in q.split(" "):
         qt = Q(act_type__label__icontains=q) | Q(towns_label=q)
         try:
diff --git a/archaeological_warehouse/views.py b/archaeological_warehouse/views.py
index 416849c9a..f8e632e9e 100644
--- a/archaeological_warehouse/views.py
+++ b/archaeological_warehouse/views.py
@@ -45,7 +45,7 @@ from ishtar_common.views import (
     QAItemEditForm,
     wizard_is_available,
 )
-from ishtar_common.views_item import get_item, show_item, new_qa_item, revert_item
+from ishtar_common.views_item import get_item, get_autocomplete_query, show_item, new_qa_item, revert_item
 from archaeological_finds.views import treatment_add
 
 from archaeological_warehouse.wizards import (
@@ -95,19 +95,10 @@ new_container = new_qa_item(
 
 
 def autocomplete_warehouse(request):
-    ishtaruser = getattr(request.user, "ishtaruser", None)
-    if not ishtaruser:
-        return HttpResponse(content_type="text/plain")
-    if not ishtaruser.has_permission(
-        "archaeological_warehouse.view_warehouse"
-    ) and not ishtaruser.has_permission(
-        "archaeological_warehouse.view_own_warehouse", models.Warehouse
-    ):
-        return HttpResponse(content_type="text/plain")
-    if not request.GET.get("term"):
+    query = get_autocomplete_query(request, "archaeological_warehouse", "warehouse")
+    if query is None:
         return HttpResponse(content_type="text/plain")
     q = request.GET.get("term")
-    query = Q()
     for q in q.split(" "):
         extra = Q(name__icontains=q) | Q(slug__icontains=q) | \
             Q(warehouse_type__label__icontains=q)
@@ -121,20 +112,11 @@ def autocomplete_warehouse(request):
 
 
 def autocomplete_container(request, warehouse_id=None):
-    ishtaruser = getattr(request.user, "ishtaruser", None)
-    if not ishtaruser:
-        return HttpResponse(content_type="text/plain")
-    if not ishtaruser.has_permission(
-        "archaeological_warehouse.view_container"
-    ) and not ishtaruser.has_permission(
-        "archaeological_warehouse.view_own_container"
-    ):
-        return HttpResponse(content_type="text/plain")
-    if not request.GET.get("term"):
+    base_query = get_autocomplete_query(request, "archaeological_warehouse", "container")
+    if base_query is None:
         return HttpResponse(content_type="text/plain")
     term = request.GET.get("term").strip()
     limit = 15
-    base_query = Q()
     if warehouse_id:
         base_query = Q(location_id=warehouse_id)
         try:
diff --git a/ishtar_common/admin.py b/ishtar_common/admin.py
index 6fda81283..cc26d6253 100644
--- a/ishtar_common/admin.py
+++ b/ishtar_common/admin.py
@@ -1871,7 +1871,6 @@ class ProfileTypeAdmin(GeneralTypeAdmin):
             )
         )
 
-
     def check_permission(self, request, object_id):
         # check that all "own" permission has a request associated
         try:
diff --git a/ishtar_common/tests.py b/ishtar_common/tests.py
index 32e1f12a8..daa814a94 100644
--- a/ishtar_common/tests.py
+++ b/ishtar_common/tests.py
@@ -1517,7 +1517,9 @@ class AutocompleteTestBase:
             self.assertEqual(
                 response.status_code, 200, msg="Status code != 200 - {}".format(url)
             )
-            data = json.loads(response.content.decode())
+            result = response.content.decode()
+            self.assertTrue(result)
+            data = json.loads(result)
             self.assertEqual(
                 len(data),
                 1,
diff --git a/ishtar_common/views.py b/ishtar_common/views.py
index 6411441f1..3a7dc06b7 100644
--- a/ishtar_common/views.py
+++ b/ishtar_common/views.py
@@ -98,11 +98,12 @@ from ishtar_common import tasks
 from .views_item import (
     check_permission,
     display_item,
+    get_autocomplete_query,
     get_item,
-    show_item,
-    new_qa_item,
-    modify_qa_item,
     get_short_html_detail,
+    modify_qa_item,
+    new_qa_item,
+    show_item,
 )
 
 convert_document = None
@@ -866,10 +867,8 @@ def autocomplete_person_permissive(
 
 
 def autocomplete_user(request):
-    ishtaruser = getattr(request.user, "ishtaruser", None)
-    if not ishtaruser:
-        return HttpResponse("[]", content_type="text/plain")
-    if not ishtaruser.has_permission("ishtar_common.view_person"):
+    query = get_autocomplete_query(request, "ishtar_common", "view_person")
+    if query:
         return HttpResponse("[]", content_type="text/plain")
     q = request.GET.get("term")
     limit = request.GET.get("limit", 20)
@@ -877,7 +876,6 @@ def autocomplete_user(request):
         limit = int(limit)
     except ValueError:
         return HttpResponseBadRequest()
-    query = Q()
     for q in q.split(" "):
         qu = (
             Q(ishtaruser__person__name__icontains=q)
@@ -899,10 +897,8 @@ def autocomplete_user(request):
 
 
 def autocomplete_ishtaruser(request):
-    ishtaruser = getattr(request.user, "ishtaruser", None)
-    if not ishtaruser:
-        return HttpResponse("[]", content_type="text/plain")
-    if not ishtaruser.has_permission("ishtar_common.view_person"):
+    query = get_autocomplete_query(request, "ishtar_common", "view_person")
+    if query is None:
         return HttpResponse("[]", content_type="text/plain")
     q = request.GET.get("term", "")
     limit = request.GET.get("limit", 20)
@@ -910,7 +906,6 @@ def autocomplete_ishtaruser(request):
         limit = int(limit)
     except ValueError:
         return HttpResponseBadRequest()
-    query = Q()
     for q in q.split(" "):
         qu = (
             Q(person__name__unaccent__icontains=q)
@@ -926,14 +921,8 @@ def autocomplete_ishtaruser(request):
 def autocomplete_person(
     request, person_types=None, attached_to=None, is_ishtar_user=None, permissive=False
 ):
-    ishtaruser = getattr(request.user, "ishtaruser", None)
-    if not ishtaruser:
-        return HttpResponse("[]", content_type="text/plain")
-    all_items = ishtaruser.has_permission("ishtar_common.view_person")
-    own_items = False
-    if not all_items:
-        own_items = ishtaruser.has_permission("ishtar_common.view_own_person")
-    if not all_items and not own_items or not request.GET.get("term"):
+    query = get_autocomplete_query(request, "ishtar_common", "view_person")
+    if query is None:
         return HttpResponse("[]", content_type="text/plain")
     q = request.GET.get("term")
     limit = request.GET.get("limit", 20)
@@ -941,7 +930,6 @@ def autocomplete_person(
         limit = int(limit)
     except ValueError:
         return HttpResponseBadRequest()
-    query = Q()
     for q in q.split(" "):
         qu = (
             Q(name__unaccent__icontains=q)
@@ -964,10 +952,6 @@ def autocomplete_person(
             pass
     if is_ishtar_user:
         query = query & Q(ishtaruser__isnull=False)
-    if own_items:
-        if not hasattr(request.user, "ishtaruser"):
-            return HttpResponse(json.dumps([]), content_type="text/plain")
-        query &= models.Person.get_query_owns(request.user.ishtaruser)
     persons = models.Person.objects.filter(query).distinct()[:limit]
     data = json.dumps(
         [{"id": person.pk, "value": str(person)} for person in persons if person]
@@ -976,14 +960,8 @@ def autocomplete_person(
 
 
 def autocomplete_import(request):
-    ishtaruser = getattr(request.user, "ishtaruser", None)
-    if not ishtaruser:
-        return HttpResponse("[]", content_type="text/plain")
-    all_items = ishtaruser.has_permission("ishtar_common.view_import")
-    own_items = False
-    if not all_items:
-        own_items = ishtaruser.has_permission("ishtar_common.view_own_import")
-    if not all_items and not own_items or not request.GET.get("term"):
+    query = get_autocomplete_query(request, "ishtar_common", "view_import")
+    if query is None:
         return HttpResponse("[]", content_type="text/plain")
     q = request.GET.get("term")
     limit = request.GET.get("limit", 20)
@@ -991,14 +969,9 @@ def autocomplete_import(request):
         limit = int(limit)
     except ValueError:
         return HttpResponseBadRequest()
-    query = Q()
     for q in q.split(" "):
         query = query & (Q(name__unaccent__icontains=q) |
                          Q(group__name__unaccent__icontains=q))
-    if own_items:
-        if not hasattr(request.user, "ishtaruser"):
-            return HttpResponse(json.dumps([]), content_type="text/plain")
-        query &= models.Import.get_query_owns(request.user.ishtaruser)
     items = models.Import.objects.filter(query).distinct()[:limit]
     data = [{"id": item.pk, "value": item.name} for item in items if item]
     return HttpResponse(json.dumps(data), content_type="text/plain")
@@ -1085,7 +1058,8 @@ def autocomplete_advanced_town(request, department_id=None, state_id=None):
 
 
 def autocomplete_document(request):
-    if not request.GET.get("term"):
+    query = get_autocomplete_query(request, "ishtar_common", "view_document")
+    if query is None:
         return HttpResponse(content_type="text/plain")
     q = request.GET.get("term")
     q = unicodedata.normalize("NFKD", q).encode("ascii", "ignore").decode()
@@ -1097,12 +1071,11 @@ def autocomplete_document(request):
         "authors__person__cached_label__icontains",
         "authors_raw__icontains",
     ]
-    query = None
     for q in q.split(" "):
         qu = Q(**{fields[0]: q})
         for field in fields[1:]:
             qu |= Q(**{field: q})
-        query = qu if not query else query & qu
+        query = query & qu
     limit = 20
     items = models.Document.objects.filter(query).exclude(title="").distinct()[:limit]
     data = json.dumps([{"id": item.pk, "value": str(item)} for item in items])
@@ -1128,18 +1101,10 @@ def department_by_state(request, state_id=""):
 
 
 def autocomplete_organization(request, orga_type=None):
-    ishtaruser = getattr(request.user, "ishtaruser", None)
-    if not ishtaruser:
-        return HttpResponse("[]", content_type="text/plain")
-    if (
-        not ishtaruser.has_permission("ishtar_common.view_organization")
-        and not ishtaruser.has_permission("ishtar_common.view_own_organization")
-    ):
-        return HttpResponse("[]", content_type="text/plain")
-    if not request.GET.get("term"):
+    query = get_autocomplete_query(request, "ishtar_common", "view_organization")
+    if query is None:
         return HttpResponse("[]", content_type="text/plain")
     q = request.GET.get("term")
-    query = Q()
     for q in q.split(" "):
         extra = Q(cached_label__unaccent__icontains=q)
         query = query & extra
@@ -1157,18 +1122,10 @@ def autocomplete_organization(request, orga_type=None):
 
 
 def autocomplete_author(request):
-    ishtaruser = getattr(request.user, "ishtaruser", None)
-    if not ishtaruser:
-        return HttpResponse("[]", content_type="text/plain")
-    if not ishtaruser.has_permission(
-            "ishtar_common.view_author"
-        ) and not ishtaruser.has_permission(
-            "ishtar_common.view_own_author"):
-        return HttpResponse("[]", content_type="text/plain")
-    if not request.GET.get("term"):
+    query = get_autocomplete_query(request, "ishtar_common", "view_author")
+    if query is None:
         return HttpResponse("[]", content_type="text/plain")
     q = request.GET.get("term")
-    query = Q()
     for q in q.split(" "):
         extra = (
             Q(person__name__icontains=q)
@@ -1184,10 +1141,8 @@ def autocomplete_author(request):
 
 
 def autocomplete_biographical_note(request):
-    ishtaruser = getattr(request.user, "ishtaruser", None)
-    if not ishtaruser:
-        return HttpResponse("[]", content_type="text/plain")
-    if not ishtaruser.has_permission("ishtar_common.view_person"):
+    query = get_autocomplete_query(request, "ishtar_common", "view_person")
+    if query is None:
         return HttpResponse("[]", content_type="text/plain")
     q = request.GET.get("term", "")
     limit = request.GET.get("limit", 20)
@@ -1195,7 +1150,6 @@ def autocomplete_biographical_note(request):
         limit = int(limit)
     except ValueError:
         return HttpResponseBadRequest()
-    query = Q()
     for q in q.split(" "):
         qu = (
                 Q(last_name__unaccent__icontains=q)
@@ -1251,13 +1205,47 @@ show_import = show_item(models.Import, "import")
 show_import_group = show_item(models.ImportGroup, "importgroup")
 
 
+ACTION_MODEL_DICT = {
+    'import': models.Import,
+    'account': models.IshtarUser,
+    'document': models.Document,
+    'person': models.Person,
+    'orga': models.Organization,
+    'organization': models.Organization,
+    'operation': apps.get_model("archaeological_operations", "Operation"),
+    'administrativact': apps.get_model(
+        "archaeological_operations", "AdministrativeAct"),
+    'file': apps.get_model("archaeological_files", "File"),
+    'site': apps.get_model("archaeological_operations", "ArchaeologicalSite"),
+    'record': apps.get_model("archaeological_context_records", "ContextRecord"),
+    'find': apps.get_model("archaeological_finds", "Find"),
+    'treatment': apps.get_model("archaeological_finds", "Treatment"),
+    'treatmentfle': apps.get_model("archaeological_finds", "TreatmentFile"),
+    'exhibition': apps.get_model("archaeological_finds", "Exhibition"),
+    'container': apps.get_model("archaeological_warehouse", "Container"),
+    'warehouse': apps.get_model("archaeological_warehouse", "Warehouse"),
+}
+
+
 def action(request, action_slug, obj_id=None, *args, **kwargs):
     """
     Action management
     """
-    if not check_permission(request, action_slug, obj_id):
+    if not check_permission(request, action_slug):
         not_permitted_msg = ugettext("Operation not permitted.")
-        return HttpResponse(not_permitted_msg)
+        if obj_id:
+            model_name = action.split('_')[0].split("-")[0].split("/")[0]
+            if model_name not in ACTION_MODEL_DICT:
+                print(f"ishtar_common/views - action: {model_name} not in ACTION_MODEL_DICT")
+                return HttpResponse(not_permitted_msg)
+            try:
+                obj = ACTION_MODEL_DICT[model_name].objects.get(pk=obj_id)
+            except ACTION_MODEL_DICT[model_name].DoesNotExist:
+                return HttpResponse(not_permitted_msg)
+            if not check_permission(request, action_slug, obj):
+                return HttpResponse(not_permitted_msg)
+        else:
+            return HttpResponse(not_permitted_msg)
     request.session["CURRENT_ACTION"] = action_slug
     dct = {}
     globals_dct = globals()
@@ -2845,7 +2833,7 @@ class DocumentEditView(DocumentFormMixin, UpdateView):
             document = models.Document.objects.get(pk=self.kwargs.get("pk"))
         except models.Document.DoesNotExist:
             raise Http404()
-        if not check_permission(self.request, "document/edit", document.pk):
+        if not check_permission(self.request, "ishtar_common.change_document", document):
             raise Http404()
         initial = {}
         for k in (
@@ -3571,7 +3559,7 @@ class GeoEditView(GeoFormMixin, UpdateView):
         except models.GeoVectorData.DoesNotExist:
             raise Http404()
 
-        if not check_permission(self.request, "geo/edit", geo.pk):
+        if not check_permission(self.request, "ishtar_common.change_geovectordata", geo):
             raise Http404()
         initial = {}
 
diff --git a/ishtar_common/views_item.py b/ishtar_common/views_item.py
index 345bd0025..9f5755eaf 100644
--- a/ishtar_common/views_item.py
+++ b/ishtar_common/views_item.py
@@ -134,6 +134,23 @@ LIST_FIELDS = {  # key: hierarchic depth
 HIERARCHIC_FIELDS = list(LIST_FIELDS.keys())
 
 
+def get_autocomplete_query(request, app, model_name):
+    ishtaruser = getattr(request.user, "ishtaruser", None)
+    if not ishtaruser or not request.GET.get("term"):
+        return
+    if ishtaruser.has_permission(f"{app}.view_{model_name}"):
+        return Q()
+    if not ishtaruser.has_permission(f"{app}.view_own_{model_name}"):
+        return
+    permission_id = Permission.objects.get(codename=f"view_own_{model_name}").id
+    object_ids = [
+        int(pk) for pk in UserObjectPermission.objects.filter(
+            permission_id=permission_id, user_id=request.user.id
+        ).values_list("object_pk", flat=True)
+    ]
+    return Q(pk__in=object_ids)
+
+
 def get_autocomplete_queries(request, label_attributes, extra=None):
     if not label_attributes:
         return [Q(pk__isnull=True)]
@@ -171,9 +188,17 @@ def get_autocomplete_item(model, extra=None):
         extra = {}
 
     def func(request, current_right=None, limit=20):
+        meta = model._meta
+        model_name = meta.model_name.lower()
+        if model_name == "basefind":
+            model_name = "find"
+        base_query = get_autocomplete_query(request, meta.app_label, model_name)
+        if base_query is None:
+            return HttpResponse(content_type="text/plain")
         result = OrderedDict()
+        base_query = model.objects.filter(base_query)
         for query in get_autocomplete_queries(request, ["cached_label"], extra=extra):
-            objects = model.objects.filter(query).values("cached_label", "id")[:limit]
+            objects = base_query.filter(query).values("cached_label", "id")[:limit]
             for obj in objects:
                 if obj["id"] not in list(result.keys()):
                     result[obj["id"]] = obj["cached_label"]
@@ -190,15 +215,15 @@ def get_autocomplete_item(model, extra=None):
     return func
 
 
-def check_permission(request, action_slug, obj_id=None):
+def check_permission(request, action_slug, obj=None):
     main_menu = Menu(request.user)
     main_menu.init()
     if action_slug not in main_menu.items:
         # TODO
         return True
-    if obj_id:
+    if obj:
         return main_menu.items[action_slug].is_available(
-            request.user, obj_id
+            request.user, obj
         )
     return main_menu.items[action_slug].can_be_available(request.user)
 
@@ -253,12 +278,12 @@ def get_short_html_detail(model):
     def func(request, pk):
         model_name = model._meta.object_name
         not_permitted_msg = ugettext("Operation not permitted.")
-        if not check_permission(request, "view_" + model_name.lower(), pk):
-            return HttpResponse(not_permitted_msg)
         try:
             item = model.objects.get(pk=pk)
         except model.DoesNotExist:
             return HttpResponse(not_permitted_msg)
+        if not check_permission(request, "view_" + model_name.lower(), item):
+            return HttpResponse(not_permitted_msg)
         html = item.get_short_html_detail()
         return HttpResponse(html)
 
@@ -270,15 +295,15 @@ def modify_qa_item(model, frm, callback=None):
         template = "ishtar/forms/qa_new_item.html"
         model_name = model._meta.object_name
         not_permitted_msg = ugettext("Operation not permitted.")
-        if not check_permission(request, "change_" + model_name.lower(), pk):
-            return HttpResponse(not_permitted_msg)
-        slug = model.SLUG
-        if model.SLUG == "site":
-            slug = "archaeologicalsite"
         try:
             item = model.objects.get(pk=pk)
         except model.DoesNotExist:
             return HttpResponse(not_permitted_msg)
+        if not check_permission(request, "change_" + model_name.lower(), item):
+            return HttpResponse(not_permitted_msg)
+        slug = model.SLUG
+        if model.SLUG == "site":
+            slug = "archaeologicalsite"
         url_slug = "modify-" + slug
         dct = {
             "page_name": str(_("Modify a %s" % model_name.lower())),
author	Étienne Loks <etienne.loks@iggdrasil.net>	2025-01-09 12:40:57 +0100
committer	Étienne Loks <etienne.loks@iggdrasil.net>	2025-02-19 14:45:56 +0100
commit	13f9202121e5470827174079da7fc699a8227295 (patch)
tree	6805622d0a6369412cee1da958768bf94a524f55
parent	edec846118a178ed1a6a5803f8bcbf26742f4b82 (diff)
download	Ishtar-13f9202121e5470827174079da7fc699a8227295.tar.bz2 Ishtar-13f9202121e5470827174079da7fc699a8227295.zip