get_item: refactoting of access control check

author: Étienne Loks <etienne.loks@iggdrasil.net> 2017-04-13 12:23:27 +0200
committer: Étienne Loks <etienne.loks@iggdrasil.net> 2017-04-13 12:23:27 +0200
commit: d5664fbc9754e987f124444f9dcc02e46d20e0ad (patch)
tree: 7dda58b9fe9912350c56c1c892d549ec18d84995 /ishtar_common/views.py
parent: 4e245d53cbba5afd595b2a4effc79800270bba8d (diff)
download: Ishtar-d5664fbc9754e987f124444f9dcc02e46d20e0ad.tar.bz2
Ishtar-d5664fbc9754e987f124444f9dcc02e46d20e0ad.zip
1 files changed, 5 insertions, 26 deletions
diff --git a/ishtar_common/views.py b/ishtar_common/views.py
index 94e4c1582..3cd00a6a6 100644
--- a/ishtar_common/views.py
+++ b/ishtar_common/views.py
@@ -586,47 +586,26 @@ def get_item(model, func_name, default_name, extra_request_keys=[],
     """
     def func(request, data_type='json', full=False, force_own=False,
              col_names=None, **dct):
-        # check rights
-        own = True  # more restrictive by default
-        allowed = False
+        available_perms = []
         if specific_perms:
             available_perms = specific_perms[:]
-        else:
-            available_perms = ['view_' + model.__name__.lower(),
-                               'view_own_' + model.__name__.lower()]
         EMPTY = ''
         if 'type' in dct:
             data_type = dct.pop('type')
         if not data_type:
             EMPTY = '[]'
             data_type = 'json'
-        if not request.user.is_authenticated():
+
+        allowed, own = models.check_model_access_control(request, model,
+                                                         available_perms)
+        if not allowed:
             return HttpResponse(EMPTY, mimetype='text/plain')
 
-        if request.user.ishtaruser.has_right('administrator',
-                                             session=request.session):
-            allowed = True
-            own = False
-        else:
-            for perm, lbl in model._meta.permissions:
-                if perm not in available_perms:
-                    continue
-                cperm = model._meta.app_label + '.' + perm
-                if request.user.has_perm(cperm) \
-                        or cperm in request.user.get_all_permissions() \
-                        or request.user.ishtaruser.has_right(
-                            perm, session=request.session):
-                    allowed = True
-                    if "_own_" not in perm:
-                        own = False
-                        break  # max right reach
         if force_own:
             own = True
         if full == 'shortcut' and 'SHORTCUT_SEARCH' in request.session and \
                 request.session['SHORTCUT_SEARCH'] == 'own':
             own = True
-        if not allowed:
-            return HttpResponse(EMPTY, mimetype='text/plain')
 
         # get defaults from model
         if not extra_request_keys and hasattr(model, 'EXTRA_REQUEST_KEYS'):
author	Étienne Loks <etienne.loks@iggdrasil.net>	2017-04-13 12:23:27 +0200
committer	Étienne Loks <etienne.loks@iggdrasil.net>	2017-04-13 12:23:27 +0200
commit	d5664fbc9754e987f124444f9dcc02e46d20e0ad (patch)
tree	7dda58b9fe9912350c56c1c892d549ec18d84995 /ishtar_common/views.py
parent	4e245d53cbba5afd595b2a4effc79800270bba8d (diff)
download	Ishtar-d5664fbc9754e987f124444f9dcc02e46d20e0ad.tar.bz2 Ishtar-d5664fbc9754e987f124444f9dcc02e46d20e0ad.zip