diff options
| author | Étienne Loks <etienne.loks@iggdrasil.net> | 2025-03-11 10:35:43 +0100 |
|---|---|---|
| committer | Étienne Loks <etienne.loks@iggdrasil.net> | 2025-03-11 12:04:07 +0100 |
| commit | f34ee172417215395deb6e6a37648393c2b0e372 (patch) | |
| tree | f35b351f375e623bc6b4eb795fb9746d72483f28 | |
| parent | 4f2c8b7d8564d3f4bf59d437a79e86a7a81c88e2 (diff) | |
| download | Ishtar-f34ee172417215395deb6e6a37648393c2b0e372.tar.bz2 Ishtar-f34ee172417215395deb6e6a37648393c2b0e372.zip | |
🐛 permissions: fix own permission for sheets (refs #6183)
| -rw-r--r-- | ishtar_common/views_item.py | 23 |
1 files changed, 9 insertions, 14 deletions
diff --git a/ishtar_common/views_item.py b/ishtar_common/views_item.py index 008dbd0eb..9ee5b9040 100644 --- a/ishtar_common/views_item.py +++ b/ishtar_common/views_item.py @@ -507,17 +507,6 @@ def show_item(model, name, extra_dct=None, model_for_perms=None, callback=None): if not allowed: raise PermissionDenied() q = model.objects - if own: - meta = model._meta - if not request.user.has_perm( - f"{meta.app_label}.view_own_{meta.model_name}"): - raise PermissionDenied() - """ - TODO: remove - query_own = model.get_query_owns(request.user.ishtaruser) - if query_own: - q = q.filter(query_own).distinct() - """ doc_type = "type" in dct and dct.pop("type") try: url = reverse("show-" + name, args=["0", ""]) @@ -552,13 +541,19 @@ def show_item(model, name, extra_dct=None, model_for_perms=None, callback=None): return show_source_item(request, pk, model, name, dct, extra_dct) q = q.filter(pk=pk) if not q.count(): - return HttpResponse("") + raise PermissionDenied() + + item = q.all()[0] + + if own: + meta = model._meta + if not request.user.has_perm( + f"{meta.app_label}.view_own_{meta.model_name}", item): + raise PermissionDenied() if callback: callback("show_item", request, doc_type, q) - item = q.all()[0] - # list current perms for perm in Permission.objects.filter( codename__startswith='view_').values_list("codename", flat=True).all(): |