get_item: refactoting of access control check

1 files changed, 38 insertions, 0 deletions

diff --git a/ishtar_common/models.py b/ishtar_common/models.py
index 44bc138eb..77b4ed335 100644
--- a/ishtar_common/models.py
+++ b/ishtar_common/models.py
@@ -90,6 +90,44 @@ def post_save_user(sender, **kwargs):
 post_save.connect(post_save_user, sender=User)
 
 
+def check_model_access_control(request, model, available_perms=None):
+    """
+    Check access control to a model for a specific request
+
+    :param request: the current request
+    :param model: the concerned model
+    :param available_perms: specific permissions to check if not specified
+    "view" and "view_own" will be checked
+    :return: (allowed, own) tuple
+    """
+    own = True  # more restrictive by default
+    allowed = False
+    if not request.user.is_authenticated():
+        return allowed, own
+
+    if not available_perms:
+        available_perms = ['view_' + model.__name__.lower(),
+                           'view_own_' + model.__name__.lower()]
+    if request.user.ishtaruser.has_right('administrator',
+                                         session=request.session):
+        allowed = True
+        own = False
+        return allowed, own
+    for perm, lbl in model._meta.permissions:
+        if perm not in available_perms:
+            continue
+        cperm = model._meta.app_label + '.' + perm
+        if request.user.has_perm(cperm) \
+                or cperm in request.user.get_all_permissions() \
+                or request.user.ishtaruser.has_right(
+                    perm, session=request.session):
+            allowed = True
+            if "_own_" not in perm:
+                own = False
+                break  # max right reach
+        return allowed, own
+
+
 class Imported(models.Model):
     imports = models.ManyToManyField(
         'Import', blank=True, null=True,