Access control: fix get owns query for UEs, finds, warehouses and containers

4 files changed, 22 insertions, 9 deletions

diff --git a/archaeological_context_records/models.py b/archaeological_context_records/models.py
index 4df56c49f..a16b4cae7 100644
--- a/archaeological_context_records/models.py
+++ b/archaeological_context_records/models.py
@@ -365,9 +365,10 @@ class ContextRecord(BaseHistorizedItem, ImageModel, OwnPerms,
 
     @classmethod
     def get_query_owns(cls, user):
-        return Q(operation__scientist=user.ishtaruser.person) |\
-            Q(operation__in_charge=user.ishtaruser.person) |\
-            Q(history_creator=user)
+        return (Q(operation__scientist=user.ishtaruser.person) |
+                Q(operation__in_charge=user.ishtaruser.person) |
+                Q(history_creator=user)) \
+            & Q(operation__end_date__isnull=True)
 
     @classmethod
     def get_owns(cls, user, menu_filtr=None, limit=None,
diff --git a/archaeological_files/models.py b/archaeological_files/models.py
index 7f37a298f..52f628817 100644
--- a/archaeological_files/models.py
+++ b/archaeological_files/models.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python
 # -*- coding: utf-8 -*-
-# Copyright (C) 2012-2016 Étienne Loks  <etienne.loks_AT_peacefrogsDOTnet>
+# Copyright (C) 2012-2017 Étienne Loks  <etienne.loks_AT_peacefrogsDOTnet>
 
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Affero General Public License as
diff --git a/archaeological_finds/models_finds.py b/archaeological_finds/models_finds.py
index c54fd1ed9..cbd13e925 100644
--- a/archaeological_finds/models_finds.py
+++ b/archaeological_finds/models_finds.py
@@ -868,11 +868,12 @@ class Find(BaseHistorizedItem, ImageModel, OwnPerms, ShortMenuItem):
 
     @classmethod
     def get_query_owns(cls, user):
-        return Q(base_finds__context_record__operation__scientist=user.
-                 ishtaruser.person) | \
-            Q(base_finds__context_record__operation__in_charge=user.
-              ishtaruser.person) | \
-            Q(history_creator=user)
+        return (Q(base_finds__context_record__operation__scientist=user.
+                 ishtaruser.person) |
+                Q(base_finds__context_record__operation__in_charge=user.
+                  ishtaruser.person) |
+                Q(history_creator=user)) \
+           & Q(base_finds__context_record__operation__end_date__isnull=True)
 
     @classmethod
     def get_owns(cls, user, menu_filtr=None, limit=None,
diff --git a/archaeological_warehouse/models.py b/archaeological_warehouse/models.py
index d1918f46a..fe054a37b 100644
--- a/archaeological_warehouse/models.py
+++ b/archaeological_warehouse/models.py
@@ -21,6 +21,7 @@ import datetime
 
 from django.conf import settings
 from django.contrib.gis.db import models
+from django.db.models import Q
 from django.db.models.signals import post_save, post_delete
 from django.template.defaultfilters import slugify
 from django.utils.translation import ugettext_lazy as _, ugettext
@@ -78,6 +79,10 @@ class Warehouse(Address, OwnPerms):
         return datetime.date.today().strftime('%Y-%m-%d') + '-' + \
                slugify(unicode(self))
 
+    @classmethod
+    def get_query_owns(cls, user):
+        return Q(person_in_charge__ishtaruser=user.ishtaruser)
+
     def save(self, *args, **kwargs):
         super(Warehouse, self).save(*args, **kwargs)
         for container in self.containers.all():
@@ -208,6 +213,12 @@ class Container(LightHistorizedItem, ImageModel):
         cached_label = u" - ".join(items)
         return cached_label
 
+    @classmethod
+    def get_query_owns(cls, user):
+        return Q(history_creator=user) | \
+            Q(location__person_in_charge__ishtaruser=user.ishtaruser) | \
+            Q(responsible__person_in_charge__ishtaruser=user.ishtaruser)
+
     @property
     def associated_filename(self):
         filename = datetime.date.today().strftime('%Y-%m-%d')