Sheet: only display window link when permissions are OK

12 files changed, 82 insertions, 32 deletions

diff --git a/archaeological_finds/templates/ishtar/sheet_find.html b/archaeological_finds/templates/ishtar/sheet_find.html
index 1ff5e21f4..3036c2cb6 100644
--- a/archaeological_finds/templates/ishtar/sheet_find.html
+++ b/archaeological_finds/templates/ishtar/sheet_find.html
@@ -291,7 +291,7 @@
               <td class='string'>{{ treatment.label|default_if_none:"-" }}</td>
               <td class='string'>{{ treatment.treatment_types_lbl }}</td>
               <td class='string'>{{ treatment.treatment_state|default_if_none:"-" }}</td>
-              <td class='item-list'>{% for it in treatment.limited_finds %}<span>{{it}} {{it|link_to_window}}</span>{% endfor %}</td>
+              <td class='item-list'>{% for it in treatment.limited_finds %}<span>{{it}} {{it|link_to_window:request}}</span>{% endfor %}</td>
               <td class='string'>{{ treatment.person|default_if_none:"-" }}</td>
               <td class='string'>{{ treatment.container|default_if_none:"-" }}</td>
               <td class='string'>{{ treatment.start_date|default_if_none:"-" }}</td>
@@ -328,7 +328,7 @@
               <td class='string'>{{ treatment.label|default_if_none:"-" }}</td>
               <td class='string'>{{ treatment.treatment_types_lbl }}</td>
               <td class='string'>{{ treatment.treatment_state|default_if_none:"-" }}</td>
-              <td class='item-list'>{% for it in items %}<span>{{it}} {{it|link_to_window}}</span>{% endfor %}</td>
+              <td class='item-list'>{% for it in items %}<span>{{it}} {{it|link_to_window:request}}</span>{% endfor %}</td>
               <td class='string'>{{ treatment.person|default_if_none:"-" }}</td>
               <td class='string'>{{ treatment.container|default_if_none:"-" }}</td>
               <td class='string'>{{ treatment.start_date|default_if_none:"-" }}</td>
@@ -366,7 +366,7 @@
               <td class='string'>{{ treatment.label|default_if_none:"-" }}</td>
               <td class='string'>{{ treatment.treatment_types_lbl }}</td>
               <td class='string'>{{ treatment.treatment_state|default_if_none:"-" }}</td>
-              <td class='item-list'>{% for it in items %}<span>{{it}} {{ it|link_to_window}}</span>{% endfor %}</td>
+              <td class='item-list'>{% for it in items %}<span>{{it}} {{ it|link_to_window:request}}</span>{% endfor %}</td>
               <td class='string'>{{ treatment.person|default_if_none:"" }}</td>
               <td class='string'>{{ treatment.container|default_if_none:"-" }}</td>
               <td class='string'>{{ treatment.start_date|default_if_none:"" }}</td>
diff --git a/archaeological_finds/templates/ishtar/wizard/wizard_findbasket_deletion.html b/archaeological_finds/templates/ishtar/wizard/wizard_findbasket_deletion.html
index ffd5f0398..15c82bd05 100644
--- a/archaeological_finds/templates/ishtar/wizard/wizard_findbasket_deletion.html
+++ b/archaeological_finds/templates/ishtar/wizard/wizard_findbasket_deletion.html
@@ -7,7 +7,7 @@
     <i class="fa fa-exclamation-triangle" aria-hidden="true"></i>
     {% trans "This basket is attached to treatments requests:" %}
     <ul>{% for tf in current_object.treatment_files.all %}
-        <li>{{ tf }} {{tf|link_to_window}}</li>
+        <li>{{ tf }} {{tf|link_to_window:request}}</li>
     {% endfor %}</ul>
     {% trans "Are you sure you want to delete this basket?" %}
 </div>
@@ -16,7 +16,7 @@
     {% trans "Items inside the basket (these items will not be deleted):" %}
 </div>
 <ul>{% for item in current_object.items.all %}
-    <li>{{item}} {{item|link_to_window}}</li>
+    <li>{{item}} {{item|link_to_window:request}}</li>
 {% endfor %}</ul>
 
 <div class="alert alert-info">
diff --git a/archaeological_finds/templates/ishtar/wizard/wizard_treatement_deletion.html b/archaeological_finds/templates/ishtar/wizard/wizard_treatement_deletion.html
index be46bfd05..f084ad35c 100644
--- a/archaeological_finds/templates/ishtar/wizard/wizard_treatement_deletion.html
+++ b/archaeological_finds/templates/ishtar/wizard/wizard_treatement_deletion.html
@@ -10,7 +10,7 @@
     {% trans "The following finds will be deleted and restored to a previous version."%}
     <ul>{% for item in current_object.downstream.all %}
         <li>
-            {{item}} {{item|link_to_window}}
+            {{item}} {{item|link_to_window:request}}
         </li>
     {% endfor %}</ul>
     {% trans "All changes made to the associated finds since this treatment record will be lost!" %}
diff --git a/archaeological_finds/tests.py b/archaeological_finds/tests.py
index ae03b2ba4..876bbecb2 100644
--- a/archaeological_finds/tests.py
+++ b/archaeological_finds/tests.py
@@ -815,6 +815,27 @@ class FindQATest(FindInit, TestCase):
                          base_desc_1 + u"\n" + extra_desc)
 
 
+class FindHistoryTest(FindInit, TestCase):
+    fixtures = FIND_FIXTURES
+    model = models.Find
+
+    def setUp(self):
+        self.create_finds(data_base={"label": u"Find 1"}, force=True)
+        self.create_finds(data_base={"label": u"Find 2"}, force=True)
+        self.username, self.password, self.user = create_superuser()
+        self.client = Client()
+        self.client.login(username=self.username, password=self.password)
+
+    def test_m2m_history_save(self):
+        pass
+
+    def test_m2m_history_display(self):
+        pass
+
+    def test_m2m_history_restore(self):
+        pass
+
+
 class TreatmentTest(FindInit, TestCase):
     fixtures = FIND_FIXTURES
     model = models.Find
diff --git a/archaeological_warehouse/models.py b/archaeological_warehouse/models.py
index 3b157ee0c..3e2b87551 100644
--- a/archaeological_warehouse/models.py
+++ b/archaeological_warehouse/models.py
@@ -321,6 +321,8 @@ post_delete.connect(post_save_cache, sender=ContainerType)
 
 
 class Container(LightHistorizedItem, ImageModel, OwnPerms):
+    SLUG = 'container'
+    SHOW_URL = 'show-container'
     TABLE_COLS = ['reference', 'container_type__label', 'cached_location',
                   'cached_division', 'old_reference']
     IMAGE_PREFIX = 'containers/'
@@ -344,7 +346,6 @@ class Container(LightHistorizedItem, ImageModel, OwnPerms):
         'finds': 'finds',
         'container_type__label': 'container_type__label',
     }
-    SHOW_URL = 'show-container'
     COL_LABELS = {
         'cached_location': _(u"Location - index"),
         'cached_division': _(u"Precise localisation"),
diff --git a/ishtar_common/forms_common.py b/ishtar_common/forms_common.py
index 1cbaecb92..b461d6266 100644
--- a/ishtar_common/forms_common.py
+++ b/ishtar_common/forms_common.py
@@ -40,7 +40,7 @@ from django.utils.translation import ugettext_lazy as _, pgettext
 import models
 import widgets
 from bootstrap_datepicker.widgets import DatePicker
-from ishtar_common.templatetags.link_to_window import link_to_window
+from ishtar_common.templatetags.link_to_window import simple_link_to_window
 from forms import FinalForm, FormSet, reverse_lazy, name_validator, \
     TableSelect, ManageOldType, CustomForm, FieldType, FormHeader, \
     FormSetWithDeleteSwitches, IshtarForm, get_data_from_formset
@@ -414,7 +414,7 @@ class MergeIntoForm(forms.Form):
             except self.associated_model.DoesNotExist:
                 continue
             self.fields['main_item'].choices.append(
-                (item.pk, mark_safe(u"{} {}".format(link_to_window(item),
+                (item.pk, mark_safe(u"{} {}".format(simple_link_to_window(item),
                                                     unicode(item)))))
 
     def merge(self):
diff --git a/ishtar_common/models.py b/ishtar_common/models.py
index 2915c4997..319f19539 100644
--- a/ishtar_common/models.py
+++ b/ishtar_common/models.py
@@ -238,21 +238,29 @@ class OwnPerms(object):
         """
         return None  # implement for each object
 
+    def can_view(self, request):
+        if hasattr(self, "LONG_SLUG"):
+            perm = "view_" + self.LONG_SLUG
+        else:
+            perm = "view_" + self.SLUG
+        return self.can_do(request, perm)
+
     def can_do(self, request, action_name):
         """
         Check permission availability for the current object.
         :param request: request object
-        :param action_name: action name eg: "change_find" - "own" declinaison is
+        :param action_name: action name eg: "change_find" - "own" variation is
         checked
         :return: boolean
         """
+        if not getattr(request.user, 'ishtaruser', None):
+            return False
         splited = action_name.split('_')
         action_own_name = splited[0] + '_own_' + '_'.join(splited[1:])
-        return request.user.ishtaruser.has_right(
-            action_name, request.session) or \
-               (request.user.ishtaruser.has_right(
-                   action_own_name, request.session)
-                and self.is_own(request.user.ishtaruser))
+        user = request.user
+        return user.ishtaruser.has_right(action_name, request.session) or \
+               (user.ishtaruser.has_right(action_own_name, request.session)
+                and self.is_own(user.ishtaruser))
 
     def is_own(self, user, alt_query_own=None):
         """
diff --git a/ishtar_common/templates/ishtar/blocks/sheet_creation_section.html b/ishtar_common/templates/ishtar/blocks/sheet_creation_section.html
index 6247920cd..d3a49ecc9 100644
--- a/ishtar_common/templates/ishtar/blocks/sheet_creation_section.html
+++ b/ishtar_common/templates/ishtar/blocks/sheet_creation_section.html
@@ -1,7 +1,7 @@
 {% load i18n link_to_window %}
 {% if item.history_creator.ishtaruser.person %}
 <div class="col-12 col-md-6 col-lg-3 flex-wrap">
-    <dt>{% trans "Creation" context "Sheet" %}{{item.history_creator.ishtaruser.person|link_to_window}}</dt>
+    <dt>{% trans "Creation" context "Sheet" %}{{item.history_creator.ishtaruser.person|link_to_window:request}}</dt>
     <dd>
         {{item.history_creator.ishtaruser.person}}<br/>
         <small class="text-muted">{{item.history_creation_date|date:"DATETIME_FORMAT"}}</small>
@@ -10,7 +10,7 @@
 {% endif %}
 {% if item.history_creation_date != item.last_edition_date %}
 <div class="col-12 col-md-6 col-lg-3 flex-wrap">
-    <dt>{% trans "Modification" context "Sheet" %}{{item.history_modifier.ishtaruser.person|link_to_window}}</dt>
+    <dt>{% trans "Modification" context "Sheet" %}{{item.history_modifier.ishtaruser.person|link_to_window:request}}</dt>
     <dd>
         {{item.history_modifier.ishtaruser.person}}<br/>
         <small class="text-muted">{% firstof item.history_date|date:"DATETIME_FORMAT" item.history.all.0.history_date|date:"DATETIME_FORMAT" %}</small>
diff --git a/ishtar_common/templates/ishtar/import_step_by_step.html b/ishtar_common/templates/ishtar/import_step_by_step.html
index 998bf99c6..4b791b98f 100644
--- a/ishtar_common/templates/ishtar/import_step_by_step.html
+++ b/ishtar_common/templates/ishtar/import_step_by_step.html
@@ -189,7 +189,7 @@
 
 <div class="card">
     <div class="card-body">
-        <h5 class="card-title">{{path}} &ndash; {{obj}} {{obj|link_to_window}} ({{obj.get_verbose_name}})</h5>
+        <h5 class="card-title">{{path}} &ndash; {{obj}} {{obj|simple_link_to_window}} ({{obj.get_verbose_name}})</h5>
     </div>
     <div class="card-body">
 
@@ -235,7 +235,7 @@
 
 <div class="card">
     <div class="card-body">
-        <h5 class="card-title">{{path}} &ndash; {{obj}} {{obj|link_to_window}} ({{obj.get_verbose_name}})</h5>
+        <h5 class="card-title">{{path}} &ndash; {{obj}} {{obj|simple_link_to_window}} ({{obj.get_verbose_name}})</h5>
     </div>
     <div class="card-body">
 
diff --git a/ishtar_common/templatetags/link_to_window.py b/ishtar_common/templatetags/link_to_window.py
index fca5a9f91..892492895 100644
--- a/ishtar_common/templatetags/link_to_window.py
+++ b/ishtar_common/templatetags/link_to_window.py
@@ -9,7 +9,7 @@ register = Library()
 
 
 @register.filter
-def link_to_window(item):
+def simple_link_to_window(item):
     if not hasattr(item, 'SHOW_URL'):
         return ""
     return mark_safe(
@@ -20,6 +20,22 @@ def link_to_window(item):
 
 
 @register.filter
+def link_to_window(item, context):
+    if not hasattr(item, 'can_view'):  # no permission check
+        return simple_link_to_window(item)
+    if hasattr(context, "request"):  # WSGIRequest
+        request = context.request
+    elif "request" in context:  # RequestContext
+        request = context['request']
+    else:
+        return u""
+    if not item.can_view(request):
+        print(item, "NOK3")
+        return u""
+    return simple_link_to_window(item)
+
+
+@register.filter
 def link_to_odt(item):
     return reverse(item.SHOW_URL, args=[item.pk, 'odt'])
 
@@ -52,7 +68,7 @@ def add_links(items, extra_attr=''):
             lbl = item.fancy_str()
         else:
             lbl = unicode(item)
-        html.append(u"{} {}".format(lbl, link_to_window(item_lnk)))
+        html.append(u"{} {}".format(lbl, simple_link_to_window(item_lnk)))
     return mark_safe(u"<br/>".join(html))
 
 
diff --git a/ishtar_common/templatetags/window_field.py b/ishtar_common/templatetags/window_field.py
index 30a711ed9..3af9ed634 100644
--- a/ishtar_common/templatetags/window_field.py
+++ b/ishtar_common/templatetags/window_field.py
@@ -145,20 +145,24 @@ def field_flex_multiple_full(caption, data, small=False):
     return field_multiple(caption, data, size=size)
 
 
-@register.inclusion_tag('ishtar/blocks/window_field_detail.html')
-def field_detail(caption, item, li=False, size=None):
-    return {'caption': caption, 'item': item, 'link': link_to_window(item),
+@register.inclusion_tag('ishtar/blocks/window_field_detail.html',
+                        takes_context=True)
+def field_detail(context, caption, item, li=False, size=None):
+    return {'caption': caption, 'item': item,
+            'link': link_to_window(item, context),
             'li': li, 'size': size}
 
 
-@register.inclusion_tag('ishtar/blocks/window_field_detail.html')
-def field_li_detail(caption, item):
-    return field_detail(caption, item, li=True)
+@register.inclusion_tag('ishtar/blocks/window_field_detail.html',
+                        takes_context=True)
+def field_li_detail(context, caption, item):
+    return field_detail(context, caption, item, li=True)
 
 
-@register.inclusion_tag('ishtar/blocks/window_field_flex_detail.html')
-def field_flex_detail(caption, item, small=False):
+@register.inclusion_tag('ishtar/blocks/window_field_flex_detail.html',
+                        takes_context=True)
+def field_flex_detail(context, caption, item, small=False):
     size = None
     if small:
         size = 2
-    return field_detail(caption, item, size=size)
+    return field_detail(context, caption, item, size=size)
diff --git a/ishtar_common/views.py b/ishtar_common/views.py
index 710feb8c6..8b2602dbc 100644
--- a/ishtar_common/views.py
+++ b/ishtar_common/views.py
@@ -58,7 +58,7 @@ from ishtar_common import forms_common as forms
 from ishtar_common import wizards
 from ishtar_common.forms import FinalForm, FinalDeleteForm
 from ishtar_common.models import get_current_profile
-from ishtar_common.templatetags.link_to_window import link_to_window
+from ishtar_common.templatetags.link_to_window import simple_link_to_window
 from ishtar_common.utils import clean_session_cache, CSV_OPTIONS, \
     get_field_labels_from_path, get_random_item_image_link, shortify
 from ishtar_common.widgets import JQueryAutoComplete
@@ -1457,7 +1457,7 @@ class ImportStepByStepView(IshtarMixin, LoginRequiredMixin, TemplateView):
 
     def get_value(self, item):
         if hasattr(item, 'SHOW_URL'):
-            return u"{}{}".format(unicode(item), link_to_window(item))
+            return u"{}{}".format(unicode(item), simple_link_to_window(item))
         if hasattr(item, 'explicit_label'):
             return item.explicit_label
         if item in (None, [], [None]):