diff options
| author | Étienne Loks <etienne.loks@iggdrasil.net> | 2025-02-03 18:09:40 +0100 |
|---|---|---|
| committer | Étienne Loks <etienne.loks@iggdrasil.net> | 2025-02-19 14:45:56 +0100 |
| commit | c521890c09140f14699b7bbe0b6cf72e3b2ff10c (patch) | |
| tree | 765c5d9274779d34d1806128a6b27f2747f6e81b /ishtar_common | |
| parent | a224726262214c4cffb8bd63da5e8c7ab52a166e (diff) | |
| download | Ishtar-c521890c09140f14699b7bbe0b6cf72e3b2ff10c.tar.bz2 Ishtar-c521890c09140f14699b7bbe0b6cf72e3b2ff10c.zip | |
✨ filter container columns when no permission is allowed (refs #6100)
Diffstat (limited to 'ishtar_common')
| -rw-r--r-- | ishtar_common/views_item.py | 18 |
1 files changed, 15 insertions, 3 deletions
diff --git a/ishtar_common/views_item.py b/ishtar_common/views_item.py index 7407eb37f..f2d0ffdd5 100644 --- a/ishtar_common/views_item.py +++ b/ishtar_common/views_item.py @@ -2038,7 +2038,7 @@ def _get_json_stats( return HttpResponse(data, content_type="application/json") -def _get_table_cols(data_type, own_table_cols, full, model): +def _get_table_cols(request, data_type, own_table_cols, full, model): # list of table cols depending on configuration and data send if data_type == "json-map": return [] # only pk for map @@ -2067,7 +2067,17 @@ def _get_table_cols(data_type, own_table_cols, full, model): if callable(table_cols): table_cols = table_cols() table_cols = list(table_cols) - return table_cols + if not hasattr(model, "TABLE_COLS_FILTERS"): + return table_cols + filtered_table_cols = [] + for col_name in table_cols: + for key in model.TABLE_COLS_FILTERS: + if not col_name.startswith(key) or \ + request.user.ishtaruser.has_permission( + model.TABLE_COLS_FILTERS[key] + ): + filtered_table_cols.append(col_name) + return filtered_table_cols def split_dict(dct): @@ -2691,7 +2701,7 @@ def get_item( return items items = items.distinct() - table_cols = _get_table_cols(data_type, own_table_cols, full, model) + table_cols = _get_table_cols(request, data_type, own_table_cols, full, model) count_values = ["pk"] query_distinct_count = getattr(model, "QUERY_DISTINCT_COUNT", None) @@ -2815,6 +2825,8 @@ def get_item( if col_num < 2 and len(sort_keys) <= 2: orders.append("pk") continue + if (col_num - 2) >= len(query_table_cols): + break k = query_table_cols[col_num - 2] if k in request_keys: ks = request_keys[k] |