diff options
| author | Étienne Loks <etienne.loks@iggdrasil.net> | 2025-01-10 15:56:33 +0100 |
|---|---|---|
| committer | Étienne Loks <etienne.loks@iggdrasil.net> | 2025-02-19 14:45:56 +0100 |
| commit | 819c4386b554545ddcb5bddce6413e078335e7e4 (patch) | |
| tree | efd7bd03f457b764c9f475c02aa0b06255267fc5 /ishtar_common/views_item.py | |
| parent | f097ada4ae660c83aaebeffb3dbe2220bf9847c5 (diff) | |
| download | Ishtar-819c4386b554545ddcb5bddce6413e078335e7e4.tar.bz2 Ishtar-819c4386b554545ddcb5bddce6413e078335e7e4.zip | |
🐛 permissions: manage quick add/modify forms (fix #6101)
Diffstat (limited to 'ishtar_common/views_item.py')
| -rw-r--r-- | ishtar_common/views_item.py | 27 |
1 files changed, 20 insertions, 7 deletions
diff --git a/ishtar_common/views_item.py b/ishtar_common/views_item.py index 9f5755eaf..ae8c1cd47 100644 --- a/ishtar_common/views_item.py +++ b/ishtar_common/views_item.py @@ -216,11 +216,19 @@ def get_autocomplete_item(model, extra=None): def check_permission(request, action_slug, obj=None): + if not request.user.ishtaruser: + return False main_menu = Menu(request.user) main_menu.init() if action_slug not in main_menu.items: - # TODO - return True + # not an action -> a classic permission + if request.user.ishtaruser.has_permission(action_slug): + return True + if not obj: + return False + parts = action_slug.split("_") + action_slug = f"{parts[0]}_own_{'_'.join(parts[1:])}" + return request.user.ishtaruser.has_permission(action_slug, obj) if obj: return main_menu.items[action_slug].is_available( request.user, obj @@ -233,15 +241,17 @@ def new_qa_item( callback=None ): def func(request, parent_name, limits=""): - model_name = model._meta.object_name not_permitted_msg = ugettext("Operation not permitted.") - if not check_permission(request, "add_" + model_name.lower()): + meta = model._meta + permission = f"{meta.app_label}.add_{meta.model_name}" + if not check_permission(request, permission): return HttpResponse(not_permitted_msg) slug = model.SLUG if model.SLUG == "site": slug = "archaeologicalsite" url_slug = "new-" + slug current_page_name = page_name[:] + model_name = model._meta.object_name if not current_page_name: current_page_name = _("New %s" % model_name.lower()) dct = { @@ -276,13 +286,14 @@ def new_qa_item( def get_short_html_detail(model): def func(request, pk): - model_name = model._meta.object_name not_permitted_msg = ugettext("Operation not permitted.") try: item = model.objects.get(pk=pk) except model.DoesNotExist: return HttpResponse(not_permitted_msg) - if not check_permission(request, "view_" + model_name.lower(), item): + meta = model._meta + permission = f"{meta.app_label}.view_{meta.model_name}" + if not check_permission(request, permission, item): return HttpResponse(not_permitted_msg) html = item.get_short_html_detail() return HttpResponse(html) @@ -299,7 +310,9 @@ def modify_qa_item(model, frm, callback=None): item = model.objects.get(pk=pk) except model.DoesNotExist: return HttpResponse(not_permitted_msg) - if not check_permission(request, "change_" + model_name.lower(), item): + meta = model._meta + permission = f"{meta.app_label}.change_{meta.model_name}" + if not check_permission(request, permission, item): return HttpResponse(not_permitted_msg) slug = model.SLUG if model.SLUG == "site": |