Sheet: only display window link when permissions are OK

7 files changed, 53 insertions, 25 deletions

diff --git a/ishtar_common/forms_common.py b/ishtar_common/forms_common.py
index 1cbaecb92..b461d6266 100644
--- a/ishtar_common/forms_common.py
+++ b/ishtar_common/forms_common.py
@@ -40,7 +40,7 @@ from django.utils.translation import ugettext_lazy as _, pgettext
 import models
 import widgets
 from bootstrap_datepicker.widgets import DatePicker
-from ishtar_common.templatetags.link_to_window import link_to_window
+from ishtar_common.templatetags.link_to_window import simple_link_to_window
 from forms import FinalForm, FormSet, reverse_lazy, name_validator, \
     TableSelect, ManageOldType, CustomForm, FieldType, FormHeader, \
     FormSetWithDeleteSwitches, IshtarForm, get_data_from_formset
@@ -414,7 +414,7 @@ class MergeIntoForm(forms.Form):
             except self.associated_model.DoesNotExist:
                 continue
             self.fields['main_item'].choices.append(
-                (item.pk, mark_safe(u"{} {}".format(link_to_window(item),
+                (item.pk, mark_safe(u"{} {}".format(simple_link_to_window(item),
                                                     unicode(item)))))
 
     def merge(self):
diff --git a/ishtar_common/models.py b/ishtar_common/models.py
index 2915c4997..319f19539 100644
--- a/ishtar_common/models.py
+++ b/ishtar_common/models.py
@@ -238,21 +238,29 @@ class OwnPerms(object):
         """
         return None  # implement for each object
 
+    def can_view(self, request):
+        if hasattr(self, "LONG_SLUG"):
+            perm = "view_" + self.LONG_SLUG
+        else:
+            perm = "view_" + self.SLUG
+        return self.can_do(request, perm)
+
     def can_do(self, request, action_name):
         """
         Check permission availability for the current object.
         :param request: request object
-        :param action_name: action name eg: "change_find" - "own" declinaison is
+        :param action_name: action name eg: "change_find" - "own" variation is
         checked
         :return: boolean
         """
+        if not getattr(request.user, 'ishtaruser', None):
+            return False
         splited = action_name.split('_')
         action_own_name = splited[0] + '_own_' + '_'.join(splited[1:])
-        return request.user.ishtaruser.has_right(
-            action_name, request.session) or \
-               (request.user.ishtaruser.has_right(
-                   action_own_name, request.session)
-                and self.is_own(request.user.ishtaruser))
+        user = request.user
+        return user.ishtaruser.has_right(action_name, request.session) or \
+               (user.ishtaruser.has_right(action_own_name, request.session)
+                and self.is_own(user.ishtaruser))
 
     def is_own(self, user, alt_query_own=None):
         """
diff --git a/ishtar_common/templates/ishtar/blocks/sheet_creation_section.html b/ishtar_common/templates/ishtar/blocks/sheet_creation_section.html
index 6247920cd..d3a49ecc9 100644
--- a/ishtar_common/templates/ishtar/blocks/sheet_creation_section.html
+++ b/ishtar_common/templates/ishtar/blocks/sheet_creation_section.html
@@ -1,7 +1,7 @@
 {% load i18n link_to_window %}
 {% if item.history_creator.ishtaruser.person %}
 <div class="col-12 col-md-6 col-lg-3 flex-wrap">
-    <dt>{% trans "Creation" context "Sheet" %}{{item.history_creator.ishtaruser.person|link_to_window}}</dt>
+    <dt>{% trans "Creation" context "Sheet" %}{{item.history_creator.ishtaruser.person|link_to_window:request}}</dt>
     <dd>
         {{item.history_creator.ishtaruser.person}}<br/>
         <small class="text-muted">{{item.history_creation_date|date:"DATETIME_FORMAT"}}</small>
@@ -10,7 +10,7 @@
 {% endif %}
 {% if item.history_creation_date != item.last_edition_date %}
 <div class="col-12 col-md-6 col-lg-3 flex-wrap">
-    <dt>{% trans "Modification" context "Sheet" %}{{item.history_modifier.ishtaruser.person|link_to_window}}</dt>
+    <dt>{% trans "Modification" context "Sheet" %}{{item.history_modifier.ishtaruser.person|link_to_window:request}}</dt>
     <dd>
         {{item.history_modifier.ishtaruser.person}}<br/>
         <small class="text-muted">{% firstof item.history_date|date:"DATETIME_FORMAT" item.history.all.0.history_date|date:"DATETIME_FORMAT" %}</small>
diff --git a/ishtar_common/templates/ishtar/import_step_by_step.html b/ishtar_common/templates/ishtar/import_step_by_step.html
index 998bf99c6..4b791b98f 100644
--- a/ishtar_common/templates/ishtar/import_step_by_step.html
+++ b/ishtar_common/templates/ishtar/import_step_by_step.html
@@ -189,7 +189,7 @@
 
 <div class="card">
     <div class="card-body">
-        <h5 class="card-title">{{path}} &ndash; {{obj}} {{obj|link_to_window}} ({{obj.get_verbose_name}})</h5>
+        <h5 class="card-title">{{path}} &ndash; {{obj}} {{obj|simple_link_to_window}} ({{obj.get_verbose_name}})</h5>
     </div>
     <div class="card-body">
 
@@ -235,7 +235,7 @@
 
 <div class="card">
     <div class="card-body">
-        <h5 class="card-title">{{path}} &ndash; {{obj}} {{obj|link_to_window}} ({{obj.get_verbose_name}})</h5>
+        <h5 class="card-title">{{path}} &ndash; {{obj}} {{obj|simple_link_to_window}} ({{obj.get_verbose_name}})</h5>
     </div>
     <div class="card-body">
 
diff --git a/ishtar_common/templatetags/link_to_window.py b/ishtar_common/templatetags/link_to_window.py
index fca5a9f91..892492895 100644
--- a/ishtar_common/templatetags/link_to_window.py
+++ b/ishtar_common/templatetags/link_to_window.py
@@ -9,7 +9,7 @@ register = Library()
 
 
 @register.filter
-def link_to_window(item):
+def simple_link_to_window(item):
     if not hasattr(item, 'SHOW_URL'):
         return ""
     return mark_safe(
@@ -20,6 +20,22 @@ def link_to_window(item):
 
 
 @register.filter
+def link_to_window(item, context):
+    if not hasattr(item, 'can_view'):  # no permission check
+        return simple_link_to_window(item)
+    if hasattr(context, "request"):  # WSGIRequest
+        request = context.request
+    elif "request" in context:  # RequestContext
+        request = context['request']
+    else:
+        return u""
+    if not item.can_view(request):
+        print(item, "NOK3")
+        return u""
+    return simple_link_to_window(item)
+
+
+@register.filter
 def link_to_odt(item):
     return reverse(item.SHOW_URL, args=[item.pk, 'odt'])
 
@@ -52,7 +68,7 @@ def add_links(items, extra_attr=''):
             lbl = item.fancy_str()
         else:
             lbl = unicode(item)
-        html.append(u"{} {}".format(lbl, link_to_window(item_lnk)))
+        html.append(u"{} {}".format(lbl, simple_link_to_window(item_lnk)))
     return mark_safe(u"<br/>".join(html))
 
 
diff --git a/ishtar_common/templatetags/window_field.py b/ishtar_common/templatetags/window_field.py
index 30a711ed9..3af9ed634 100644
--- a/ishtar_common/templatetags/window_field.py
+++ b/ishtar_common/templatetags/window_field.py
@@ -145,20 +145,24 @@ def field_flex_multiple_full(caption, data, small=False):
     return field_multiple(caption, data, size=size)
 
 
-@register.inclusion_tag('ishtar/blocks/window_field_detail.html')
-def field_detail(caption, item, li=False, size=None):
-    return {'caption': caption, 'item': item, 'link': link_to_window(item),
+@register.inclusion_tag('ishtar/blocks/window_field_detail.html',
+                        takes_context=True)
+def field_detail(context, caption, item, li=False, size=None):
+    return {'caption': caption, 'item': item,
+            'link': link_to_window(item, context),
             'li': li, 'size': size}
 
 
-@register.inclusion_tag('ishtar/blocks/window_field_detail.html')
-def field_li_detail(caption, item):
-    return field_detail(caption, item, li=True)
+@register.inclusion_tag('ishtar/blocks/window_field_detail.html',
+                        takes_context=True)
+def field_li_detail(context, caption, item):
+    return field_detail(context, caption, item, li=True)
 
 
-@register.inclusion_tag('ishtar/blocks/window_field_flex_detail.html')
-def field_flex_detail(caption, item, small=False):
+@register.inclusion_tag('ishtar/blocks/window_field_flex_detail.html',
+                        takes_context=True)
+def field_flex_detail(context, caption, item, small=False):
     size = None
     if small:
         size = 2
-    return field_detail(caption, item, size=size)
+    return field_detail(context, caption, item, size=size)
diff --git a/ishtar_common/views.py b/ishtar_common/views.py
index 710feb8c6..8b2602dbc 100644
--- a/ishtar_common/views.py
+++ b/ishtar_common/views.py
@@ -58,7 +58,7 @@ from ishtar_common import forms_common as forms
 from ishtar_common import wizards
 from ishtar_common.forms import FinalForm, FinalDeleteForm
 from ishtar_common.models import get_current_profile
-from ishtar_common.templatetags.link_to_window import link_to_window
+from ishtar_common.templatetags.link_to_window import simple_link_to_window
 from ishtar_common.utils import clean_session_cache, CSV_OPTIONS, \
     get_field_labels_from_path, get_random_item_image_link, shortify
 from ishtar_common.widgets import JQueryAutoComplete
@@ -1457,7 +1457,7 @@ class ImportStepByStepView(IshtarMixin, LoginRequiredMixin, TemplateView):
 
     def get_value(self, item):
         if hasattr(item, 'SHOW_URL'):
-            return u"{}{}".format(unicode(item), link_to_window(item))
+            return u"{}{}".format(unicode(item), simple_link_to_window(item))
         if hasattr(item, 'explicit_label'):
             return item.explicit_label
         if item in (None, [], [None]):