♻ permissions refactoring: refactor has_permission methods

1 files changed, 64 insertions, 42 deletions

diff --git a/ishtar_common/utils.py b/ishtar_common/utils.py
index 09e83714b..8de745874 100644
--- a/ishtar_common/utils.py
+++ b/ishtar_common/utils.py
@@ -21,8 +21,9 @@ from csv import QUOTE_ALL
 import datetime
 import feedparser
 from functools import wraps
+from guardian.exceptions import WrongAppError
 from itertools import chain
-from inspect import currentframe, getframeinfo
+from inspect import currentframe
 import json
 import logging
 import hashlib
@@ -225,24 +226,25 @@ def import_class(full_path_classname):
     return model
 
 
-def check_rights(rights=None, redirect_url="/"):
+def check_permissions(permissions=None, redirect_url="/"):
     """
     Decorator that checks the rights to access the view.
     """
 
     def decorator(view_func):
         def _wrapped_view(request, *args, **kwargs):
-            if not rights:
+            if not permissions:
                 return view_func(request, *args, **kwargs)
             if hasattr(request.user, "ishtaruser"):
-                if request.user.ishtaruser.has_right("administrator", request.session):
+                ishtaruser = request.user.ishtaruser
+                if ishtaruser.has_permission("ishtaradmin"):
                     kwargs["current_right"] = "administrator"
                     return view_func(request, *args, **kwargs)
-                for right in rights:
+                for permission in permissions:
                     # be careful to put the more permissive rights first
                     # if granted it can allow more
-                    if request.user.ishtaruser.has_right(right, request.session):
-                        kwargs["current_right"] = right
+                    if ishtaruser.has_permission(permission):
+                        kwargs["current_right"] = permission
                         return view_func(request, *args, **kwargs)
             put_session_message(
                 request.session.session_key,
@@ -256,17 +258,18 @@ def check_rights(rights=None, redirect_url="/"):
     return decorator
 
 
-def check_rights_condition(rights):
+def check_permissions_condition(permissions):
     """
     To be used to check in wizard condition_dict
     """
 
     def func(self):
         request = self.request
-        if request.user.ishtaruser.has_right("administrator", request.session):
+        ishtaruser = request.user.ishtaruser
+        if ishtaruser.has_permission("ishtaradmin"):
             return True
-        for right in rights:
-            if request.user.ishtaruser.has_right(right, request.session):
+        for permission in permissions:
+            if ishtaruser.has_permission(permission):
                 return True
         return False
 
@@ -297,7 +300,7 @@ def check_model_access_control(request, model, available_perms=None):
         ishtaruser = request.user.ishtaruser
     except request.user._meta.model.ishtaruser.RelatedObjectDoesNotExist:
         return False, True
-    if ishtaruser.has_right("administrator", session=request.session):
+    if ishtaruser.has_permission("ishtaradmin"):
         allowed = True
         own = False
         return allowed, own
@@ -305,10 +308,10 @@ def check_model_access_control(request, model, available_perms=None):
         content_type__app_label=model._meta.app_label,
         content_type__model=model._meta.model_name
     )
-    for perm in q.values_list("codename", flat=True):
+    for app_name, perm in q.values_list("content_type__app_label", "codename"):
         if perm not in available_perms:
             continue
-        if ishtaruser.person.has_right(perm, session=request.session):
+        if ishtaruser.has_permission(f"{app_name}.{perm}"):
             allowed = True
             if "_own_" not in perm:
                 own = False
@@ -343,48 +346,56 @@ class OwnPerms:
         return None  # implement for each object
 
     def can_view(self, request):
-        if hasattr(self, "LONG_SLUG"):
-            perm = "view_" + self.LONG_SLUG
-        else:
-            perm = "view_" + self.SLUG
+        meta = self.__class__._meta
+        perm = f"{meta.app_label}.view_{meta.model_name}"
         return self.can_do(request, perm)
 
     def can_edit(self, request):
         if not getattr(request.user, "ishtaruser", None):
             return False
         ishtaruser = request.user.ishtaruser
-        slug = self.LONG_SLUG if hasattr(self, "LONG_SLUG") else self.SLUG
-        if ishtaruser.has_perm("change_" + slug, session=request.session):
+        meta = self.__class__._meta
+        perm = f"{meta.app_label}.change_{meta.model_name}"
+        if ishtaruser.has_permission(perm):
             return True
-        if not ishtaruser.has_perm("change_own_" + slug, session=request.session):
+        own_perm = f"{meta.app_label}.change_own_{meta.model_name}"
+        if not ishtaruser.has_permission(own_perm):
             return False
         return self.is_own(ishtaruser)
 
-    def can_do(self, request, action_name):
+    def can_do(self, request, permission):
         """
         Check permission availability for the current object.
         :param request: request object
-        :param action_name: action name eg: "change_find" - "own" variation is
-        checked
+        :param permission: action name eg: "archaelogical_finds.change_find" - "own"
+        variation is checked
         :return: boolean
         """
         if not getattr(request.user, "ishtaruser", None):
             return False
-        splited = action_name.split("_")
-        action_own_name = splited[0] + "_own_" + "_".join(splited[1:])
-        user = request.user
-        if action_name == "view_findbasket":
-            action_own_name = "view_own_find"
-            action_name = "view_find"
-        return user.ishtaruser.has_right(action_name, request.session) or (
-                user.ishtaruser.has_right(action_own_name, request.session)
-                and self.is_own(user.ishtaruser)
-        )
+
+        if "_findbasket" in permission:
+            permission = permission.replace("basket", "")
+        ishtaruser = request.user.ishtaruser
+
+        if ishtaruser.has_permission(permission):
+            return True
+        app, perm = permission.split(".")
+        p = perm.split("_")
+        own = f"{app}.{p[0]}_own_{('_').join(p[1:])}"
+        try:
+            return ishtaruser.has_permission(own, self)
+        except WrongAppError:
+            # normaly occurs when, for instance, add doc permission is required
+            # for an item with document attached but the item is not a document.
+            # own permission is irrelevant: return False
+            return False
 
     def is_own(self, user, alt_query_own=None):
         """
         Check if the current object is owned by the user
         """
+        print("ishtar_common/utils.py - 370 - DELETE")
         IshtarUser = apps.get_model("ishtar_common", "IshtarUser")
         if isinstance(user, IshtarUser):
             ishtaruser = user
@@ -406,6 +417,7 @@ class OwnPerms:
         """
         Check if the user own some items
         """
+        print("ishtar_common/utils.py - 392 - DELETE")
         IshtarUser = apps.get_model("ishtar_common", "IshtarUser")
         if isinstance(user, IshtarUser):
             ishtaruser = user
@@ -1139,9 +1151,7 @@ def get_random_item_image_link(request):
         return ""
 
     ishtar_user = request.user.ishtaruser
-    if not ishtar_user.has_right(
-        "ishtar_common.view_document", session=request.session
-    ):
+    if not ishtar_user.has_permission("ishtar_common.view_document"):
         return ""
 
     q = (
@@ -1945,17 +1955,23 @@ def get_urls_for_model(
     """
     Generate get and show url for a model
     """
+    app_label = model._meta.app_label
+    model_name = model._meta.model_name
     urls = [
         url(
             r"show-{}(?:/(?P<pk>.+))?/(?P<type>.+)?$".format(model.SLUG),
-            check_rights(["view_" + model.SLUG, "view_own_" + model.SLUG])(
+            check_permissions(
+                [f"{app_label}.view_{model_name}",
+                 f"{app_label}.view_own_{model_name}"])(
                 getattr(views, "show_" + model.SLUG)
             ),
             name="show-" + model.SLUG,
         ),
         url(
             r"^display-{}/(?P<pk>.+)/$".format(model.SLUG),
-            check_rights(["view_" + model.SLUG, "view_own_" + model.SLUG])(
+            check_permissions(
+                [f"{app_label}.view_{model_name}",
+                 f"{app_label}.view_own_{model_name}"])(
                 getattr(views, "display_" + model.SLUG)
             ),
             name="display-" + model.SLUG,
@@ -1965,7 +1981,9 @@ def get_urls_for_model(
         urls += [
             url(
                 r"get-{}/own/(?P<type>.+)?$".format(model.SLUG),
-                check_rights(["view_" + model.SLUG, "view_own_" + model.SLUG])(
+                check_permissions(
+                    [f"{app_label}.view_{model_name}",
+                     f"{app_label}.view_own_{model_name}"])(
                     getattr(views, "get_" + model.SLUG)
                 ),
                 name="get-own-" + model.SLUG,
@@ -1976,7 +1994,9 @@ def get_urls_for_model(
     urls += [
         url(
             r"get-{}/(?P<type>.+)?$".format(model.SLUG),
-            check_rights(["view_" + model.SLUG, "view_own_" + model.SLUG])(
+            check_permissions(
+                [f"{app_label}.view_{model_name}",
+                 f"{app_label}.view_own_{model_name}"])(
                 getattr(views, "get_" + model.SLUG)
             ),
             name="get-" + model.SLUG,
@@ -1987,7 +2007,9 @@ def get_urls_for_model(
         urls += [
             url(
                 r"autocomplete-{}/$".format(model.SLUG),
-                check_rights(["view_" + model.SLUG, "view_own_" + model.SLUG])(
+                check_permissions(
+                    [f"{app_label}.view_{model_name}",
+                     f"{app_label}.view_own_{model_name}"])(
                     getattr(views, "autocomplete_" + model.SLUG)
                 ),
                 name="autocomplete-" + model.SLUG,