Merge branch 'develop'

author: Étienne Loks <etienne.loks@iggdrasil.net> 2019-01-11 16:19:59 +0100
committer: Étienne Loks <etienne.loks@iggdrasil.net> 2019-01-11 16:19:59 +0100
commit: 2aa223c0cac8c445e9f3855db66524cfdeae9380 (patch)
tree: 8b9137dd9b68121db86e4e22dfdb7b7016a6f1ad /ishtar_common/wizards.py
parent: 23697dd97eb201dd557272293227ec42a1c95a54 (diff)
parent: daeeeb175835559724c8520f4f5a8dcd5957a469 (diff)
download: Ishtar-2aa223c0cac8c445e9f3855db66524cfdeae9380.tar.bz2
Ishtar-2aa223c0cac8c445e9f3855db66524cfdeae9380.zip
1 files changed, 35 insertions, 23 deletions
diff --git a/ishtar_common/wizards.py b/ishtar_common/wizards.py
index a439cc014..47355dd06 100644
--- a/ishtar_common/wizards.py
+++ b/ishtar_common/wizards.py
@@ -23,6 +23,7 @@ import os
 # from functools import wraps
 
 from django.conf import settings
+from django.contrib import messages
 from formtools.wizard.views import NamedUrlWizardView, normalize_name, \
     get_storage, StepsHelper
 
@@ -115,6 +116,7 @@ class Wizard(IshtarWizard):
     )
     main_item_select_keys = ('selec-',)
     formset_pop_deleted = True
+    alt_is_own_method = None  # alternate method name for "is_own" check
 
     saved_args = {}  # argument to pass on object save
 
@@ -145,29 +147,39 @@ class Wizard(IshtarWizard):
                 form, other_check)
         return kwargs
 
+    def check_own_permissions(self, request, step=None, *args, **kwargs):
+        # reinit default dispatch of a wizard - not clean...
+        self.request = request
+        self.session = request.session
+        self.prefix = self.get_prefix(request, *args, **kwargs)
+        self.storage = get_storage(
+            self.storage_name, self.prefix, request,
+            getattr(self, 'file_storage', None))
+        self.steps = StepsHelper(self)
+
+        current_object = self.get_current_object()
+        ishtaruser = request.user.ishtaruser \
+            if hasattr(request.user, 'ishtaruser') else None
+
+        # not the first step and current object is not owned
+        if self.steps and self.steps.first != step and current_object:
+            is_own = current_object.is_own(
+                ishtaruser, alt_query_own=self.alt_is_own_method)
+            if not is_own:
+                messages.add_message(
+                    request, messages.WARNING,
+                    _(u"Permission error: you cannot do this action.")
+                )
+                self.session_reset(request, self.url_name)
+                return
+        return True
+
     def dispatch(self, request, *args, **kwargs):
         self.current_right = kwargs.get('current_right', None)
         step = kwargs.get('step', None)
         # check that the current object is really owned by the current user
         if step and self.current_right and '_own_' in self.current_right:
-
-            # reinit default dispatch of a wizard - not clean...
-            self.request = request
-            self.session = request.session
-            self.prefix = self.get_prefix(request, *args, **kwargs)
-            self.storage = get_storage(
-                self.storage_name, self.prefix, request,
-                getattr(self, 'file_storage', None))
-            self.steps = StepsHelper(self)
-
-            current_object = self.get_current_object()
-            ishtaruser = request.user.ishtaruser \
-                if hasattr(request.user, 'ishtaruser') else None
-
-            # not the fisrt step and current object is not owned
-            if self.steps and self.steps.first != step and\
-                    current_object and not current_object.is_own(ishtaruser):
-                self.session_reset(request, self.url_name)
+            if not self.check_own_permissions(request, *args, **kwargs):
                 return HttpResponseRedirect('/')
             # extra filter on forms
             self.filter_owns_items = True
@@ -439,7 +451,7 @@ class Wizard(IshtarWizard):
             datas.append((form.form_label, form_datas))
         return datas
 
-    def get_extra_model(self, dct, form_list):
+    def get_extra_model(self, dct, m2m, form_list):
         dct['history_modifier'] = self.request.user
         return dct
 
@@ -552,7 +564,7 @@ class Wizard(IshtarWizard):
 
     def save_model(self, dct, m2m, whole_associated_models, form_list,
                    return_object):
-        dct = self.get_extra_model(dct, form_list)
+        dct = self.get_extra_model(dct, m2m, form_list)
         obj = self.get_current_saved_object()
         data = {}
         if obj and hasattr(obj, 'data'):
@@ -1181,7 +1193,7 @@ class Wizard(IshtarWizard):
         return vals
 
     def get_current_object(self):
-        """Get the current object for an instancied wizard"""
+        """Get the current object for an instanced wizard"""
         current_obj = None
         for key in self.main_item_select_keys:
             main_form_key = key + self.url_name
@@ -1787,8 +1799,8 @@ class AccountWizard(Wizard):
 class SourceWizard(Wizard):
     model = None
 
-    def get_extra_model(self, dct, form_list):
-        dct = super(SourceWizard, self).get_extra_model(dct, form_list)
+    def get_extra_model(self, dct, m2m, form_list):
+        dct = super(SourceWizard, self).get_extra_model(dct, m2m, form_list)
         if 'history_modifier' in dct:
             dct.pop('history_modifier')
         return dct
author	Étienne Loks <etienne.loks@iggdrasil.net>	2019-01-11 16:19:59 +0100
committer	Étienne Loks <etienne.loks@iggdrasil.net>	2019-01-11 16:19:59 +0100
commit	2aa223c0cac8c445e9f3855db66524cfdeae9380 (patch)
tree	8b9137dd9b68121db86e4e22dfdb7b7016a6f1ad /ishtar_common/wizards.py
parent	23697dd97eb201dd557272293227ec42a1c95a54 (diff)
parent	daeeeb175835559724c8520f4f5a8dcd5957a469 (diff)
download	Ishtar-2aa223c0cac8c445e9f3855db66524cfdeae9380.tar.bz2 Ishtar-2aa223c0cac8c445e9f3855db66524cfdeae9380.zip