🐛 new permissions: fix permission_check for action (refs #6126)

author: Étienne Loks <etienne.loks@iggdrasil.net> 2025-01-09 12:40:57 +0100
committer: Étienne Loks <etienne.loks@iggdrasil.net> 2025-02-19 14:45:56 +0100
commit: 13f9202121e5470827174079da7fc699a8227295 (patch)
tree: 6805622d0a6369412cee1da958768bf94a524f55 /ishtar_common/views_item.py
parent: edec846118a178ed1a6a5803f8bcbf26742f4b82 (diff)
download: Ishtar-13f9202121e5470827174079da7fc699a8227295.tar.bz2
Ishtar-13f9202121e5470827174079da7fc699a8227295.zip
1 files changed, 36 insertions, 11 deletions
diff --git a/ishtar_common/views_item.py b/ishtar_common/views_item.py
index 345bd0025..9f5755eaf 100644
--- a/ishtar_common/views_item.py
+++ b/ishtar_common/views_item.py
@@ -134,6 +134,23 @@ LIST_FIELDS = {  # key: hierarchic depth
 HIERARCHIC_FIELDS = list(LIST_FIELDS.keys())
 
 
+def get_autocomplete_query(request, app, model_name):
+    ishtaruser = getattr(request.user, "ishtaruser", None)
+    if not ishtaruser or not request.GET.get("term"):
+        return
+    if ishtaruser.has_permission(f"{app}.view_{model_name}"):
+        return Q()
+    if not ishtaruser.has_permission(f"{app}.view_own_{model_name}"):
+        return
+    permission_id = Permission.objects.get(codename=f"view_own_{model_name}").id
+    object_ids = [
+        int(pk) for pk in UserObjectPermission.objects.filter(
+            permission_id=permission_id, user_id=request.user.id
+        ).values_list("object_pk", flat=True)
+    ]
+    return Q(pk__in=object_ids)
+
+
 def get_autocomplete_queries(request, label_attributes, extra=None):
     if not label_attributes:
         return [Q(pk__isnull=True)]
@@ -171,9 +188,17 @@ def get_autocomplete_item(model, extra=None):
         extra = {}
 
     def func(request, current_right=None, limit=20):
+        meta = model._meta
+        model_name = meta.model_name.lower()
+        if model_name == "basefind":
+            model_name = "find"
+        base_query = get_autocomplete_query(request, meta.app_label, model_name)
+        if base_query is None:
+            return HttpResponse(content_type="text/plain")
         result = OrderedDict()
+        base_query = model.objects.filter(base_query)
         for query in get_autocomplete_queries(request, ["cached_label"], extra=extra):
-            objects = model.objects.filter(query).values("cached_label", "id")[:limit]
+            objects = base_query.filter(query).values("cached_label", "id")[:limit]
             for obj in objects:
                 if obj["id"] not in list(result.keys()):
                     result[obj["id"]] = obj["cached_label"]
@@ -190,15 +215,15 @@ def get_autocomplete_item(model, extra=None):
     return func
 
 
-def check_permission(request, action_slug, obj_id=None):
+def check_permission(request, action_slug, obj=None):
     main_menu = Menu(request.user)
     main_menu.init()
     if action_slug not in main_menu.items:
         # TODO
         return True
-    if obj_id:
+    if obj:
         return main_menu.items[action_slug].is_available(
-            request.user, obj_id
+            request.user, obj
         )
     return main_menu.items[action_slug].can_be_available(request.user)
 
@@ -253,12 +278,12 @@ def get_short_html_detail(model):
     def func(request, pk):
         model_name = model._meta.object_name
         not_permitted_msg = ugettext("Operation not permitted.")
-        if not check_permission(request, "view_" + model_name.lower(), pk):
-            return HttpResponse(not_permitted_msg)
         try:
             item = model.objects.get(pk=pk)
         except model.DoesNotExist:
             return HttpResponse(not_permitted_msg)
+        if not check_permission(request, "view_" + model_name.lower(), item):
+            return HttpResponse(not_permitted_msg)
         html = item.get_short_html_detail()
         return HttpResponse(html)
 
@@ -270,15 +295,15 @@ def modify_qa_item(model, frm, callback=None):
         template = "ishtar/forms/qa_new_item.html"
         model_name = model._meta.object_name
         not_permitted_msg = ugettext("Operation not permitted.")
-        if not check_permission(request, "change_" + model_name.lower(), pk):
-            return HttpResponse(not_permitted_msg)
-        slug = model.SLUG
-        if model.SLUG == "site":
-            slug = "archaeologicalsite"
         try:
             item = model.objects.get(pk=pk)
         except model.DoesNotExist:
             return HttpResponse(not_permitted_msg)
+        if not check_permission(request, "change_" + model_name.lower(), item):
+            return HttpResponse(not_permitted_msg)
+        slug = model.SLUG
+        if model.SLUG == "site":
+            slug = "archaeologicalsite"
         url_slug = "modify-" + slug
         dct = {
             "page_name": str(_("Modify a %s" % model_name.lower())),
author	Étienne Loks <etienne.loks@iggdrasil.net>	2025-01-09 12:40:57 +0100
committer	Étienne Loks <etienne.loks@iggdrasil.net>	2025-02-19 14:45:56 +0100
commit	13f9202121e5470827174079da7fc699a8227295 (patch)
tree	6805622d0a6369412cee1da958768bf94a524f55 /ishtar_common/views_item.py
parent	edec846118a178ed1a6a5803f8bcbf26742f4b82 (diff)
download	Ishtar-13f9202121e5470827174079da7fc699a8227295.tar.bz2 Ishtar-13f9202121e5470827174079da7fc699a8227295.zip