summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorÉtienne Loks <etienne.loks@iggdrasil.net>2025-07-21 12:56:36 +0200
committerÉtienne Loks <etienne.loks@iggdrasil.net>2025-07-21 12:56:36 +0200
commit0427aa8882916d5b0ffbaca27404263ce69fc78f (patch)
treeae2374f7494ddc29cfb8b31c6e486caa36364bd6
parentf7e7951cba95f8a4e49477832c849c461c7f69fe (diff)
downloadIshtar-0427aa8882916d5b0ffbaca27404263ce69fc78f.tar.bz2
Ishtar-0427aa8882916d5b0ffbaca27404263ce69fc78f.zip
🐛 imports list: fix permissions check
-rw-r--r--ishtar_common/models_imports.py36
-rw-r--r--ishtar_common/urls.py2
-rw-r--r--ishtar_common/views.py35
3 files changed, 46 insertions, 27 deletions
diff --git a/ishtar_common/models_imports.py b/ishtar_common/models_imports.py
index cae04298b..510a9ff7d 100644
--- a/ishtar_common/models_imports.py
+++ b/ishtar_common/models_imports.py
@@ -230,9 +230,10 @@ class ImporterType(models.Model):
def __str__(self):
return self.name
- @classmethod
- def is_own(cls, ishtar_user):
- return bool(cls.objects.filter(users__pk=ishtar_user.pk).count())
+ def is_own(self, ishtar_user):
+ return bool(
+ self.__class__.objects.filter(pk=self.pk, users__pk=ishtar_user.pk).count()
+ )
@property
def type_label(self):
@@ -1450,19 +1451,32 @@ class BaseImport(models.Model, OwnPerms, SheetItem):
def get_permissions_for_actions(cls, user, session):
if not hasattr(user, "ishtaruser") or not user.ishtaruser:
return False, False, False, False
- can_edit_all, can_delete_all, can_edit_own, can_delete_own = False, False, False, False
+ permissions = {
+ "can_view_own": False,
+ "can_edit_own": False,
+ "can_delete_own": False,
+ "can_edit_all": False,
+ "can_view_all": False,
+ "can_delete_all": False,
+ }
if user.is_superuser:
- can_edit_all = True
- can_delete_all = True
+ permissions["can_view_all"] = True
+ permissions["can_edit_all"] = True
+ permissions["can_delete_all"] = True
+ return permissions
+ if user.ishtaruser.has_right("view_import", session=session):
+ permissions["can_view_all"] = True
+ elif user.ishtaruser.has_right("view_own_import", session=session):
+ permissions["can_view_own"] = True
if user.ishtaruser.has_right("change_import", session=session):
- can_edit_all = True
+ permissions["can_edit_all"] = True
elif user.ishtaruser.has_right("change_own_import", session=session):
- can_edit_own = True
+ permissions["can_edit_own"] = True
if user.ishtaruser.has_right("delete_import", session=session):
- can_delete_all = True
+ permissions["can_delete_all"] = True
elif user.ishtaruser.has_right("delete_own_import", session=session):
- can_delete_own = True
- return can_edit_all, can_delete_all, can_edit_own, can_delete_own
+ permissions["can_delete_own"] = True
+ return permissions
@classmethod
def query_can_access(cls, user, perm="view_import"):
diff --git a/ishtar_common/urls.py b/ishtar_common/urls.py
index babdece35..2fa5ecfb3 100644
--- a/ishtar_common/urls.py
+++ b/ishtar_common/urls.py
@@ -230,7 +230,7 @@ urlpatterns = [
),
url(
r"^import-list/$",
- check_rights(["view_import", "change_import", "change_own_import"])(views.ImportListView.as_view()),
+ check_rights(["view_import", "view_own_import", "change_import", "change_own_import"])(views.ImportListView.as_view()),
name="current_imports",
),
url(
diff --git a/ishtar_common/views.py b/ishtar_common/views.py
index 29e7e5fe5..e1ecbfdcf 100644
--- a/ishtar_common/views.py
+++ b/ishtar_common/views.py
@@ -1700,19 +1700,22 @@ class ImportPreFormView(IshtarMixin, LoginRequiredMixin, FormView):
return HttpResponseRedirect(self.get_success_url())
-def get_permissions_for_actions(user, imprt, owns, can_edit_all, can_delete_all, can_edit_own, can_delete_own):
- can_edit, can_delete = False, False
+def get_permissions_for_actions(user, imprt, owns, permissions):
+ can_view, can_edit, can_delete = False, False, False
is_own = None
- if can_edit_own or can_delete_own: # need to check owner
+ if permissions["can_edit_own"] or permissions["can_delete_own"] \
+ or permissions["can_view_own"]: # need to check owner
if imprt.importer_type_id not in owns:
# "is_own" only query once by importer type
owns[imprt.importer_type.pk] = imprt.importer_type.is_own(user.ishtaruser)
is_own = owns[imprt.importer_type_id]
- if can_edit_all or (can_edit_own and is_own):
+ if permissions["can_view_all"] or (permissions["can_view_own"] and is_own):
+ can_view = True
+ if permissions["can_edit_all"] or (permissions["can_edit_own"] and is_own):
can_edit = True
- if can_delete_all or (can_delete_own and is_own):
+ if permissions["can_delete_all"] or (permissions["can_delete_own"] and is_own):
can_delete = True
- return can_edit, can_delete
+ return can_view, can_edit, can_delete
class ImportListView(IshtarMixin, LoginRequiredMixin, ListView):
@@ -1735,15 +1738,17 @@ class ImportListView(IshtarMixin, LoginRequiredMixin, ListView):
q2 = self._queryset_filter(models.ImportGroup.query_can_access(user, ["view_import", "change_import"]))
q2 = q2.order_by("-end_date", "-creation_date", "-pk")
values = list(reversed(sorted(list(q1) + list(q2), key=lambda x: (x.end_date or x.creation_date))))
- can_edit_all, can_delete_all, can_edit_own, can_delete_own = models.Import.get_permissions_for_actions(
+ permissions = models.Import.get_permissions_for_actions(
user, self.request.session
)
imports = []
owns = {}
for imprt in values:
- can_edit, can_delete = get_permissions_for_actions(
- user, imprt, owns, can_edit_all, can_delete_all, can_edit_own, can_delete_own
+ can_view, can_edit, can_delete = get_permissions_for_actions(
+ user, imprt, owns, permissions
)
+ if not can_view:
+ continue
imprt.action_list = imprt.get_actions(can_edit=can_edit, can_delete=can_delete)
imports.append(imprt)
self.imports_len = len(imports)
@@ -1757,7 +1762,7 @@ class ImportListView(IshtarMixin, LoginRequiredMixin, ListView):
return imports
def post(self, request, *args, **kwargs):
- can_edit_all, can_delete_all, can_edit_own, can_delete_own = models.Import.get_permissions_for_actions(
+ permissions = models.Import.get_permissions_for_actions(
request.user, request.session
)
owns = {}
@@ -1773,8 +1778,8 @@ class ImportListView(IshtarMixin, LoginRequiredMixin, ListView):
imprt = model.objects.get(pk=int(field.split("-")[-1]))
except (models.Import.DoesNotExist, ValueError):
continue
- can_edit, can_delete = get_permissions_for_actions(
- request.user, imprt, owns, can_edit_all, can_delete_all, can_edit_own, can_delete_own
+ can_view, can_edit, can_delete = get_permissions_for_actions(
+ request.user, imprt, owns, permissions
)
action = request.POST[field]
if can_delete and action == "D":
@@ -2337,11 +2342,11 @@ def import_get_status(request, current_right=None):
"number_of_line": item.number_of_line,
"progress_percent": item.progress_percent,
})
- can_edit_all, can_delete_all, can_edit_own, can_delete_own = models.Import.get_permissions_for_actions(
+ permissions = models.Import.get_permissions_for_actions(
request.user, request.session
)
- can_edit, can_delete = get_permissions_for_actions(
- request.user, item, {}, can_edit_all, can_delete_all, can_edit_own, can_delete_own
+ can_view, can_edit, can_delete = get_permissions_for_actions(
+ request.user, item, {}, permissions
)
item_dct["actions"] = [
(key, str(lbl))