🐛 imports list: fix permissions check

1 files changed, 20 insertions, 15 deletions

diff --git a/ishtar_common/views.py b/ishtar_common/views.py
index 29e7e5fe5..e1ecbfdcf 100644
--- a/ishtar_common/views.py
+++ b/ishtar_common/views.py
@@ -1700,19 +1700,22 @@ class ImportPreFormView(IshtarMixin, LoginRequiredMixin, FormView):
         return HttpResponseRedirect(self.get_success_url())
 
 
-def get_permissions_for_actions(user, imprt, owns, can_edit_all, can_delete_all, can_edit_own, can_delete_own):
-    can_edit, can_delete = False, False
+def get_permissions_for_actions(user, imprt, owns, permissions):
+    can_view, can_edit, can_delete = False, False, False
     is_own = None
-    if can_edit_own or can_delete_own:  # need to check owner
+    if permissions["can_edit_own"] or permissions["can_delete_own"] \
+            or permissions["can_view_own"]:  # need to check owner
         if imprt.importer_type_id not in owns:
             # "is_own" only query once by importer type
             owns[imprt.importer_type.pk] = imprt.importer_type.is_own(user.ishtaruser)
         is_own = owns[imprt.importer_type_id]
-    if can_edit_all or (can_edit_own and is_own):
+    if permissions["can_view_all"] or (permissions["can_view_own"] and is_own):
+        can_view = True
+    if permissions["can_edit_all"] or (permissions["can_edit_own"] and is_own):
         can_edit = True
-    if can_delete_all or (can_delete_own and is_own):
+    if permissions["can_delete_all"] or (permissions["can_delete_own"] and is_own):
         can_delete = True
-    return can_edit, can_delete
+    return can_view, can_edit, can_delete
 
 
 class ImportListView(IshtarMixin, LoginRequiredMixin, ListView):
@@ -1735,15 +1738,17 @@ class ImportListView(IshtarMixin, LoginRequiredMixin, ListView):
         q2 = self._queryset_filter(models.ImportGroup.query_can_access(user, ["view_import", "change_import"]))
         q2 = q2.order_by("-end_date", "-creation_date", "-pk")
         values = list(reversed(sorted(list(q1) + list(q2), key=lambda x: (x.end_date or x.creation_date))))
-        can_edit_all, can_delete_all, can_edit_own, can_delete_own = models.Import.get_permissions_for_actions(
+        permissions = models.Import.get_permissions_for_actions(
             user, self.request.session
         )
         imports = []
         owns = {}
         for imprt in values:
-            can_edit, can_delete = get_permissions_for_actions(
-                user, imprt, owns, can_edit_all, can_delete_all, can_edit_own, can_delete_own
+            can_view, can_edit, can_delete = get_permissions_for_actions(
+                user, imprt, owns, permissions
             )
+            if not can_view:
+                continue
             imprt.action_list = imprt.get_actions(can_edit=can_edit, can_delete=can_delete)
             imports.append(imprt)
         self.imports_len = len(imports)
@@ -1757,7 +1762,7 @@ class ImportListView(IshtarMixin, LoginRequiredMixin, ListView):
         return imports
 
     def post(self, request, *args, **kwargs):
-        can_edit_all, can_delete_all, can_edit_own, can_delete_own = models.Import.get_permissions_for_actions(
+        permissions = models.Import.get_permissions_for_actions(
             request.user, request.session
         )
         owns = {}
@@ -1773,8 +1778,8 @@ class ImportListView(IshtarMixin, LoginRequiredMixin, ListView):
                 imprt = model.objects.get(pk=int(field.split("-")[-1]))
             except (models.Import.DoesNotExist, ValueError):
                 continue
-            can_edit, can_delete = get_permissions_for_actions(
-                request.user, imprt, owns, can_edit_all, can_delete_all, can_edit_own, can_delete_own
+            can_view, can_edit, can_delete = get_permissions_for_actions(
+                request.user, imprt, owns, permissions
             )
             action = request.POST[field]
             if can_delete and action == "D":
@@ -2337,11 +2342,11 @@ def import_get_status(request, current_right=None):
                 "number_of_line": item.number_of_line,
                 "progress_percent": item.progress_percent,
             })
-        can_edit_all, can_delete_all, can_edit_own, can_delete_own = models.Import.get_permissions_for_actions(
+        permissions = models.Import.get_permissions_for_actions(
             request.user, request.session
         )
-        can_edit, can_delete = get_permissions_for_actions(
-            request.user, item, {}, can_edit_all, can_delete_all, can_edit_own, can_delete_own
+        can_view, can_edit, can_delete = get_permissions_for_actions(
+            request.user, item, {}, permissions
         )
         item_dct["actions"] = [
             (key, str(lbl))