diff options
| author | Étienne Loks <etienne.loks@iggdrasil.net> | 2025-01-09 17:21:58 +0100 |
|---|---|---|
| committer | Étienne Loks <etienne.loks@iggdrasil.net> | 2025-02-19 14:45:56 +0100 |
| commit | 26e3b520a236c6afdf3282b71a4f959b328de551 (patch) | |
| tree | dcc44f34176459360161cde7e27b41d8c736c3eb /ishtar_common | |
| parent | 13f9202121e5470827174079da7fc699a8227295 (diff) | |
| download | Ishtar-26e3b520a236c6afdf3282b71a4f959b328de551.tar.bz2 Ishtar-26e3b520a236c6afdf3282b71a4f959b328de551.zip | |
🐛 add permission for created object to the current user (fix #6118)
Diffstat (limited to 'ishtar_common')
| -rw-r--r-- | ishtar_common/models.py | 40 | ||||
| -rw-r--r-- | ishtar_common/views.py | 11 | ||||
| -rw-r--r-- | ishtar_common/wizards.py | 17 |
3 files changed, 49 insertions, 19 deletions
diff --git a/ishtar_common/models.py b/ishtar_common/models.py index 1540597f9..9197a67bf 100644 --- a/ishtar_common/models.py +++ b/ishtar_common/models.py @@ -3637,7 +3637,11 @@ class UserProfile(models.Model): return new_item def _generate_permission(self, ishtar_user, content_type, permission_query, - permissions, permission_type): + permissions, permission_type, obj_id=None): + if obj_id: + if permission_query.include_associated_items: + return [obj_id] + return item_ids = [] model_class = content_type.model_class() if permission_query.include_associated_items: @@ -3703,18 +3707,19 @@ class UserProfile(models.Model): return item_ids def generate_permission(self, content_type, permission_type, - base_permission_only=False): + base_permission_only=False, obj_id=None): ishtar_user = self.person.ishtaruser if self.expiration_date and self.expiration_date < datetime.date.today(): return # add base permissions - for group in self.profile_type.groups.all(): - for perm in group.permissions.filter( - content_type=content_type, - codename__startswith=permission_type).all(): - ishtar_user.user_ptr.user_permissions.add(perm) + if not obj_id: + for group in self.profile_type.groups.all(): + for perm in group.permissions.filter( + content_type=content_type, + codename__startswith=permission_type).all(): + ishtar_user.user_ptr.user_permissions.add(perm) if base_permission_only: return @@ -3739,19 +3744,22 @@ class UserProfile(models.Model): # DEBUG # print(f"WARNING: no permission request for content {content_type.name} and profile {self}") # print("Using old behaviour") - model_class = content_type.model_class() - query = None - if hasattr(model_class, "get_owns"): - query = model_class.get_owns(user=ishtar_user, query=True, no_auth_check=True) - if query: - item_ids = list( - model_class.objects.filter(query).values_list("pk", flat=True) - ) + if obj_id: + item_ids = [obj_id] + else: + model_class = content_type.model_class() + query = None + if hasattr(model_class, "get_owns"): + query = model_class.get_owns(user=ishtar_user, query=True, no_auth_check=True) + if query: + item_ids = list( + model_class.objects.filter(query).values_list("pk", flat=True) + ) else: for perm_request in q_req.all(): item_ids += self._generate_permission( ishtar_user, content_type, perm_request, permissions, - permission_type + permission_type, obj_id=obj_id ) user_id = ishtar_user.user_ptr.pk item_ids = list(set(item_ids)) diff --git a/ishtar_common/views.py b/ishtar_common/views.py index 3a7dc06b7..1a9eab72f 100644 --- a/ishtar_common/views.py +++ b/ishtar_common/views.py @@ -2797,6 +2797,17 @@ class DocumentCreateView(DocumentFormMixin, CreateView): return kwargs + def form_valid(self, form): + returned = super().form_valid(form) + ct = ContentType.objects.get_for_model(self.object) + for profile in self.request.user.ishtaruser.person.profiles.all(): + for permission_type in ("view", "change", "delete"): + profile.generate_permission( + ct, permission_type, + obj_id=self.object.pk + ) + return returned + class DocumentSelectView(IshtarMixin, LoginRequiredMixin, FormView): form_class = forms.DocumentFormSelection diff --git a/ishtar_common/wizards.py b/ishtar_common/wizards.py index e5da4c8f6..f7305a573 100644 --- a/ishtar_common/wizards.py +++ b/ishtar_common/wizards.py @@ -32,6 +32,7 @@ from formtools.wizard.views import ( StepsHelper, ) +from django.contrib.contenttypes.models import ContentType from django.contrib.sites.models import Site from django.core.exceptions import ObjectDoesNotExist from django.core.files.images import ImageFile @@ -50,8 +51,8 @@ from django.utils.safestring import mark_safe from ishtar_common import models, models_rest from ishtar_common.forms import CustomForm, reverse_lazy -from ishtar_common.utils import get_all_field_names, get_person_gdpr_log, MultiValueDict,\ - put_session_message +from ishtar_common.utils import get_all_field_names, \ + get_person_gdpr_log, MultiValueDict, put_session_message logger = logging.getLogger(__name__) @@ -1101,6 +1102,7 @@ class Wizard(IshtarWizard): if not lbl and hasattr(obj, "_generate_cached_label"): lbl = obj._generate_cached_label() msg += str(_("{} created.")).format(lbl) + messages.add_message(self.request, messages.INFO, msg) if self.redirect_url: url = reverse(self.redirect_url) @@ -1118,7 +1120,16 @@ class Wizard(IshtarWizard): return return_object and (obj, res) or res def post_save(self): - return + # add permission for the created object to the current user + if self.modification or self.deletion or not self.request.user.ishtaruser: + return + ct = ContentType.objects.get_for_model(self.current_object) + for profile in self.request.user.ishtaruser.person.profiles.all(): + for permission_type in ("view", "change", "delete"): + profile.generate_permission( + ct, permission_type, + obj_id=self.current_object.pk + ) def get_deleted(self, keys): """ |