🐛 fix own permissions for sheets - translation in admin page

1 files changed, 9 insertions, 4 deletions

diff --git a/ishtar_common/views_item.py b/ishtar_common/views_item.py
index 0619f8f8a..9f72171b9 100644
--- a/ishtar_common/views_item.py
+++ b/ishtar_common/views_item.py
@@ -20,7 +20,7 @@ from django.contrib.contenttypes.models import ContentType
 from django.contrib.gis.geos import GEOSException
 from django.contrib.staticfiles.templatetags.staticfiles import static
 from django.core.cache import cache
-from django.core.exceptions import ObjectDoesNotExist
+from django.core.exceptions import ObjectDoesNotExist, PermissionDenied
 from django.db.models import (
     F,
     Q,
@@ -383,14 +383,19 @@ def show_item(model, name, extra_dct=None, model_for_perms=None, callback=None):
             check_model = model_for_perms
         allowed, own = check_model_access_control(request, check_model)
         if not allowed:
-            return HttpResponse("", content_type="application/xhtml")
+            raise PermissionDenied()
         q = model.objects
         if own:
-            if not hasattr(request.user, "ishtaruser"):
-                return HttpResponse("")
+            meta = model._meta
+            if not request.user.has_perm(
+                    f"{meta.app_label}.view_own_{meta.model_name}"):
+                raise PermissionDenied()
+            """
+            TODO: remove
             query_own = model.get_query_owns(request.user.ishtaruser)
             if query_own:
                 q = q.filter(query_own).distinct()
+            """
         doc_type = "type" in dct and dct.pop("type")
         try:
             url = reverse("show-" + name, args=["0", ""])