🐛 imports list: fix permissions check

3 files changed, 46 insertions, 27 deletions

diff --git a/ishtar_common/models_imports.py b/ishtar_common/models_imports.py
index cae04298b..510a9ff7d 100644
--- a/ishtar_common/models_imports.py
+++ b/ishtar_common/models_imports.py
@@ -230,9 +230,10 @@ class ImporterType(models.Model):
     def __str__(self):
         return self.name
 
-    @classmethod
-    def is_own(cls, ishtar_user):
-        return bool(cls.objects.filter(users__pk=ishtar_user.pk).count())
+    def is_own(self, ishtar_user):
+        return bool(
+            self.__class__.objects.filter(pk=self.pk, users__pk=ishtar_user.pk).count()
+        )
 
     @property
     def type_label(self):
@@ -1450,19 +1451,32 @@ class BaseImport(models.Model, OwnPerms, SheetItem):
     def get_permissions_for_actions(cls, user, session):
         if not hasattr(user, "ishtaruser") or not user.ishtaruser:
             return False, False, False, False
-        can_edit_all, can_delete_all, can_edit_own, can_delete_own = False, False, False, False
+        permissions = {
+            "can_view_own": False,
+            "can_edit_own": False,
+            "can_delete_own": False,
+            "can_edit_all": False,
+            "can_view_all": False,
+            "can_delete_all": False,
+        }
         if user.is_superuser:
-            can_edit_all = True
-            can_delete_all = True
+            permissions["can_view_all"] = True
+            permissions["can_edit_all"] = True
+            permissions["can_delete_all"] = True
+            return permissions
+        if user.ishtaruser.has_right("view_import", session=session):
+            permissions["can_view_all"] = True
+        elif user.ishtaruser.has_right("view_own_import", session=session):
+            permissions["can_view_own"] = True
         if user.ishtaruser.has_right("change_import", session=session):
-            can_edit_all = True
+            permissions["can_edit_all"] = True
         elif user.ishtaruser.has_right("change_own_import", session=session):
-            can_edit_own = True
+            permissions["can_edit_own"] = True
         if user.ishtaruser.has_right("delete_import", session=session):
-            can_delete_all = True
+            permissions["can_delete_all"] = True
         elif user.ishtaruser.has_right("delete_own_import", session=session):
-            can_delete_own = True
-        return can_edit_all, can_delete_all, can_edit_own, can_delete_own
+            permissions["can_delete_own"] = True
+        return permissions
 
     @classmethod
     def query_can_access(cls, user, perm="view_import"):
diff --git a/ishtar_common/urls.py b/ishtar_common/urls.py
index babdece35..2fa5ecfb3 100644
--- a/ishtar_common/urls.py
+++ b/ishtar_common/urls.py
@@ -230,7 +230,7 @@ urlpatterns = [
     ),
     url(
         r"^import-list/$",
-        check_rights(["view_import", "change_import", "change_own_import"])(views.ImportListView.as_view()),
+        check_rights(["view_import", "view_own_import", "change_import", "change_own_import"])(views.ImportListView.as_view()),
         name="current_imports",
     ),
     url(
diff --git a/ishtar_common/views.py b/ishtar_common/views.py
index 29e7e5fe5..e1ecbfdcf 100644
--- a/ishtar_common/views.py
+++ b/ishtar_common/views.py
@@ -1700,19 +1700,22 @@ class ImportPreFormView(IshtarMixin, LoginRequiredMixin, FormView):
         return HttpResponseRedirect(self.get_success_url())
 
 
-def get_permissions_for_actions(user, imprt, owns, can_edit_all, can_delete_all, can_edit_own, can_delete_own):
-    can_edit, can_delete = False, False
+def get_permissions_for_actions(user, imprt, owns, permissions):
+    can_view, can_edit, can_delete = False, False, False
     is_own = None
-    if can_edit_own or can_delete_own:  # need to check owner
+    if permissions["can_edit_own"] or permissions["can_delete_own"] \
+            or permissions["can_view_own"]:  # need to check owner
         if imprt.importer_type_id not in owns:
             # "is_own" only query once by importer type
             owns[imprt.importer_type.pk] = imprt.importer_type.is_own(user.ishtaruser)
         is_own = owns[imprt.importer_type_id]
-    if can_edit_all or (can_edit_own and is_own):
+    if permissions["can_view_all"] or (permissions["can_view_own"] and is_own):
+        can_view = True
+    if permissions["can_edit_all"] or (permissions["can_edit_own"] and is_own):
         can_edit = True
-    if can_delete_all or (can_delete_own and is_own):
+    if permissions["can_delete_all"] or (permissions["can_delete_own"] and is_own):
         can_delete = True
-    return can_edit, can_delete
+    return can_view, can_edit, can_delete
 
 
 class ImportListView(IshtarMixin, LoginRequiredMixin, ListView):
@@ -1735,15 +1738,17 @@ class ImportListView(IshtarMixin, LoginRequiredMixin, ListView):
         q2 = self._queryset_filter(models.ImportGroup.query_can_access(user, ["view_import", "change_import"]))
         q2 = q2.order_by("-end_date", "-creation_date", "-pk")
         values = list(reversed(sorted(list(q1) + list(q2), key=lambda x: (x.end_date or x.creation_date))))
-        can_edit_all, can_delete_all, can_edit_own, can_delete_own = models.Import.get_permissions_for_actions(
+        permissions = models.Import.get_permissions_for_actions(
             user, self.request.session
         )
         imports = []
         owns = {}
         for imprt in values:
-            can_edit, can_delete = get_permissions_for_actions(
-                user, imprt, owns, can_edit_all, can_delete_all, can_edit_own, can_delete_own
+            can_view, can_edit, can_delete = get_permissions_for_actions(
+                user, imprt, owns, permissions
             )
+            if not can_view:
+                continue
             imprt.action_list = imprt.get_actions(can_edit=can_edit, can_delete=can_delete)
             imports.append(imprt)
         self.imports_len = len(imports)
@@ -1757,7 +1762,7 @@ class ImportListView(IshtarMixin, LoginRequiredMixin, ListView):
         return imports
 
     def post(self, request, *args, **kwargs):
-        can_edit_all, can_delete_all, can_edit_own, can_delete_own = models.Import.get_permissions_for_actions(
+        permissions = models.Import.get_permissions_for_actions(
             request.user, request.session
         )
         owns = {}
@@ -1773,8 +1778,8 @@ class ImportListView(IshtarMixin, LoginRequiredMixin, ListView):
                 imprt = model.objects.get(pk=int(field.split("-")[-1]))
             except (models.Import.DoesNotExist, ValueError):
                 continue
-            can_edit, can_delete = get_permissions_for_actions(
-                request.user, imprt, owns, can_edit_all, can_delete_all, can_edit_own, can_delete_own
+            can_view, can_edit, can_delete = get_permissions_for_actions(
+                request.user, imprt, owns, permissions
             )
             action = request.POST[field]
             if can_delete and action == "D":
@@ -2337,11 +2342,11 @@ def import_get_status(request, current_right=None):
                 "number_of_line": item.number_of_line,
                 "progress_percent": item.progress_percent,
             })
-        can_edit_all, can_delete_all, can_edit_own, can_delete_own = models.Import.get_permissions_for_actions(
+        permissions = models.Import.get_permissions_for_actions(
             request.user, request.session
         )
-        can_edit, can_delete = get_permissions_for_actions(
-            request.user, item, {}, can_edit_all, can_delete_all, can_edit_own, can_delete_own
+        can_view, can_edit, can_delete = get_permissions_for_actions(
+            request.user, item, {}, permissions
         )
         item_dct["actions"] = [
             (key, str(lbl))