Access control: fix show own item (not *all* items) (refs #3593)

2 files changed, 11 insertions, 3 deletions

diff --git a/ishtar_common/models.py b/ishtar_common/models.py
index 77b4ed335..f1de8c60a 100644
--- a/ishtar_common/models.py
+++ b/ishtar_common/models.py
@@ -125,7 +125,7 @@ def check_model_access_control(request, model, available_perms=None):
             if "_own_" not in perm:
                 own = False
                 break  # max right reach
-        return allowed, own
+    return allowed, own
 
 
 class Imported(models.Model):
diff --git a/ishtar_common/views.py b/ishtar_common/views.py
index 3cd00a6a6..f185576ea 100644
--- a/ishtar_common/views.py
+++ b/ishtar_common/views.py
@@ -1192,10 +1192,18 @@ def display_item(model, extra_dct=None, show_url=None):
 
 def show_item(model, name, extra_dct=None):
     def func(request, pk, **dct):
+        allowed, own = models.check_model_access_control(request, model)
+        if not allowed:
+            return HttpResponse('', content_type="application/xhtml")
+        q = model.objects
+        if own:
+            query_own = model.get_query_owns(request.user)
+            if query_own:
+                q = q.filter(query_own)
         try:
-            item = model.objects.get(pk=pk)
+            item = q.get(pk=pk)
         except ObjectDoesNotExist:
-            return HttpResponse(None)
+            return HttpResponse('NOK')
         doc_type = 'type' in dct and dct.pop('type')
         url_name = u"/".join(reverse('show-' + name, args=['0', '']
                                      ).split('/')[:-2]) + u"/"