diff options
| author | Étienne Loks <etienne.loks@iggdrasil.net> | 2025-07-21 12:56:36 +0200 |
|---|---|---|
| committer | Étienne Loks <etienne.loks@iggdrasil.net> | 2025-07-21 13:30:46 +0200 |
| commit | a6fecd9a9ea412b743aa689d4fa02c7f15fde322 (patch) | |
| tree | d587f8e86f59174f3a1ad71f44c4a7718f0fb68d /ishtar_common/views.py | |
| parent | 592cb91a2b3f7aa6e8696af526a9d99d9bd01935 (diff) | |
| download | Ishtar-a6fecd9a9ea412b743aa689d4fa02c7f15fde322.tar.bz2 Ishtar-a6fecd9a9ea412b743aa689d4fa02c7f15fde322.zip | |
🐛 imports list: fix permissions check
Diffstat (limited to 'ishtar_common/views.py')
| -rw-r--r-- | ishtar_common/views.py | 42 |
1 files changed, 20 insertions, 22 deletions
diff --git a/ishtar_common/views.py b/ishtar_common/views.py index aa47040aa..a4242aa3b 100644 --- a/ishtar_common/views.py +++ b/ishtar_common/views.py @@ -1788,20 +1788,22 @@ class ImportPreFormView(IshtarMixin, LoginRequiredMixin, FormView): return HttpResponseRedirect(self.get_success_url()) -def get_permissions_for_actions( - user, imprt, owns, can_edit_all, can_delete_all, can_edit_own, can_delete_own): - can_edit, can_delete = False, False +def get_permissions_for_actions(user, imprt, owns, permissions): + can_view, can_edit, can_delete = False, False, False is_own = None - if can_edit_own or can_delete_own: # need to check owner + if permissions["can_edit_own"] or permissions["can_delete_own"] \ + or permissions["can_view_own"]: # need to check owner if imprt.importer_type_id not in owns: # "is_own" only query once by importer type owns[imprt.importer_type.pk] = imprt.importer_type.is_own(user.ishtaruser) is_own = owns[imprt.importer_type_id] - if can_edit_all or (can_edit_own and is_own): + if permissions["can_view_all"] or (permissions["can_view_own"] and is_own): + can_view = True + if permissions["can_edit_all"] or (permissions["can_edit_own"] and is_own): can_edit = True - if can_delete_all or (can_delete_own and is_own): + if permissions["can_delete_all"] or (permissions["can_delete_own"] and is_own): can_delete = True - return can_edit, can_delete + return can_view, can_edit, can_delete class ImportListView(IshtarMixin, LoginRequiredMixin, ListView): @@ -1839,15 +1841,15 @@ class ImportListView(IshtarMixin, LoginRequiredMixin, ListView): key=lambda x: (x.end_date or x.creation_date) ) )) - can_edit_all, can_delete_all, can_edit_own, can_delete_own = \ - models.Import.get_permissions_for_actions(user) + permissions = models.Import.get_permissions_for_actions(user) imports = [] owns = {} for imprt in values: - can_edit, can_delete = get_permissions_for_actions( - user, imprt, owns, can_edit_all, - can_delete_all, can_edit_own, can_delete_own + can_view, can_edit, can_delete = get_permissions_for_actions( + user, imprt, owns, permissions ) + if not can_view: + continue imprt.action_list = imprt.get_actions( can_edit=can_edit, can_delete=can_delete ) @@ -1863,8 +1865,7 @@ class ImportListView(IshtarMixin, LoginRequiredMixin, ListView): return imports def post(self, request, *args, **kwargs): - can_edit_all, can_delete_all, can_edit_own, can_delete_own = \ - models.Import.get_permissions_for_actions(request.user) + permissions = models.Import.get_permissions_for_actions(request.user) owns = {} for field in request.POST: if not field.startswith("import-action-") or not request.POST[field]: @@ -1878,9 +1879,8 @@ class ImportListView(IshtarMixin, LoginRequiredMixin, ListView): imprt = model.objects.get(pk=int(field.split("-")[-1])) except (models.Import.DoesNotExist, ValueError): continue - can_edit, can_delete = get_permissions_for_actions( - request.user, imprt, owns, can_edit_all, - can_delete_all, can_edit_own, can_delete_own + can_view, can_edit, can_delete = get_permissions_for_actions( + request.user, imprt, owns, permissions ) action = request.POST[field] if can_delete and action == "D": @@ -2456,11 +2456,9 @@ def import_get_status(request, current_right=None): "number_of_line": item.number_of_line, "progress_percent": item.progress_percent, }) - can_edit_all, can_delete_all, can_edit_own, can_delete_own = \ - models.Import.get_permissions_for_actions(request.user) - can_edit, can_delete = get_permissions_for_actions( - request.user, item, {}, can_edit_all, - can_delete_all, can_edit_own, can_delete_own + permissions = models.Import.get_permissions_for_actions(request.user) + can_view, can_edit, can_delete = get_permissions_for_actions( + request.user, item, {}, permissions ) item_dct["actions"] = [ (key, str(lbl)) |