diff options
| author | Étienne Loks <etienne.loks@iggdrasil.net> | 2017-03-28 16:46:38 +0200 |
|---|---|---|
| committer | Étienne Loks <etienne.loks@iggdrasil.net> | 2017-03-29 18:25:09 +0200 |
| commit | 40831b3de94aef231530c14f22030b22b6d88c72 (patch) | |
| tree | ed9088825dfa898e325c4ecda84860be961b6f72 | |
| parent | 964ce0244baf55cc1af1029b67f991a0865f1f3c (diff) | |
| download | Ishtar-40831b3de94aef231530c14f22030b22b6d88c72.tar.bz2 Ishtar-40831b3de94aef231530c14f22030b22b6d88c72.zip | |
Access control: simplify and fix permissions relative to "get_item"
| -rw-r--r-- | archaeological_operations/views.py | 2 | ||||
| -rw-r--r-- | ishtar_common/views.py | 40 |
2 files changed, 22 insertions, 20 deletions
diff --git a/archaeological_operations/views.py b/archaeological_operations/views.py index c886d9095..9b420f594 100644 --- a/archaeological_operations/views.py +++ b/archaeological_operations/views.py @@ -1,6 +1,6 @@ #!/usr/bin/env python # -*- coding: utf-8 -*- -# Copyright (C) 2010-2016 Étienne Loks <etienne.loks_AT_peacefrogsDOTnet> +# Copyright (C) 2010-2017 Étienne Loks <etienne.loks_AT_peacefrogsDOTnet> # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as diff --git a/ishtar_common/views.py b/ishtar_common/views.py index c99e78b9c..d3c9e0897 100644 --- a/ishtar_common/views.py +++ b/ishtar_common/views.py @@ -586,22 +586,30 @@ def get_item(model, func_name, default_name, extra_request_keys=[], # check rights own = True # more restrictive by default allowed = False - if request.user.is_authenticated() and \ - request.user.ishtaruser.has_right('administrator', - session=request.session): + if specific_perms: + available_perms = specific_perms[:] + else: + available_perms = ['view_' + model.__name__.lower(), + 'view_own_' + model.__name__.lower()] + EMPTY = '' + if 'type' in dct: + data_type = dct.pop('type') + if not data_type: + EMPTY = '[]' + data_type = 'json' + if not request.user.is_authenticated(): + return HttpResponse(EMPTY, mimetype='text/plain') + + if request.user.ishtaruser.has_right('administrator', + session=request.session): allowed = True own = False else: for perm, lbl in model._meta.permissions: - # if not specific any perm is relevant (read right) - if specific_perms and perm not in specific_perms: + if perm not in available_perms: continue - cperm = model._meta.app_label + '.' + perm - if request.user.has_perm(cperm)\ - or cperm in request.user.get_all_permissions() \ - or (request.user.is_authenticated() - and request.user.ishtaruser.has_right( - perm, session=request.session)): + if request.user.ishtaruser.has_right( + perm, session=request.session): allowed = True if "_own_" not in perm: own = False @@ -611,12 +619,6 @@ def get_item(model, func_name, default_name, extra_request_keys=[], if full == 'shortcut' and 'SHORTCUT_SEARCH' in request.session and \ request.session['SHORTCUT_SEARCH'] == 'own': own = True - EMPTY = '' - if 'type' in dct: - data_type = dct.pop('type') - if not data_type: - EMPTY = '[]' - data_type = 'json' if not allowed: return HttpResponse(EMPTY, mimetype='text/plain') @@ -898,7 +900,6 @@ def get_item(model, func_name, default_name, extra_request_keys=[], table_cols += model.EXTRA_FULL_FIELDS else: table_cols = model.TABLE_COLS - query_table_cols = [] for cols in table_cols: if type(cols) not in (list, tuple): @@ -916,6 +917,7 @@ def get_item(model, func_name, default_name, extra_request_keys=[], model.CONTEXTUAL_TABLE_COLS[contxt][col] if full == 'shortcut': query_table_cols = ['cached_label'] + table_cols = ['cached_label'] # manage sort tables manual_sort_key = None @@ -1103,7 +1105,7 @@ def get_item(model, func_name, default_name, extra_request_keys=[], if hasattr(model, 'COL_LINK') and k in model.COL_LINK: value = link_ext_template.format(value, value) res[k] = value - if full == 'shortcut': + if full == 'shortcut' and 'cached_label' in res: res['value'] = res.pop('cached_label') rows.append(res) if full == 'shortcut': |