diff options
| author | Étienne Loks <etienne.loks@iggdrasil.net> | 2017-04-13 12:23:27 +0200 |
|---|---|---|
| committer | Étienne Loks <etienne.loks@iggdrasil.net> | 2017-04-13 12:23:27 +0200 |
| commit | d5664fbc9754e987f124444f9dcc02e46d20e0ad (patch) | |
| tree | 7dda58b9fe9912350c56c1c892d549ec18d84995 /ishtar_common | |
| parent | 4e245d53cbba5afd595b2a4effc79800270bba8d (diff) | |
| download | Ishtar-d5664fbc9754e987f124444f9dcc02e46d20e0ad.tar.bz2 Ishtar-d5664fbc9754e987f124444f9dcc02e46d20e0ad.zip | |
get_item: refactoting of access control check
Diffstat (limited to 'ishtar_common')
| -rw-r--r-- | ishtar_common/models.py | 38 | ||||
| -rw-r--r-- | ishtar_common/views.py | 31 |
2 files changed, 43 insertions, 26 deletions
diff --git a/ishtar_common/models.py b/ishtar_common/models.py index 44bc138eb..77b4ed335 100644 --- a/ishtar_common/models.py +++ b/ishtar_common/models.py @@ -90,6 +90,44 @@ def post_save_user(sender, **kwargs): post_save.connect(post_save_user, sender=User) +def check_model_access_control(request, model, available_perms=None): + """ + Check access control to a model for a specific request + + :param request: the current request + :param model: the concerned model + :param available_perms: specific permissions to check if not specified + "view" and "view_own" will be checked + :return: (allowed, own) tuple + """ + own = True # more restrictive by default + allowed = False + if not request.user.is_authenticated(): + return allowed, own + + if not available_perms: + available_perms = ['view_' + model.__name__.lower(), + 'view_own_' + model.__name__.lower()] + if request.user.ishtaruser.has_right('administrator', + session=request.session): + allowed = True + own = False + return allowed, own + for perm, lbl in model._meta.permissions: + if perm not in available_perms: + continue + cperm = model._meta.app_label + '.' + perm + if request.user.has_perm(cperm) \ + or cperm in request.user.get_all_permissions() \ + or request.user.ishtaruser.has_right( + perm, session=request.session): + allowed = True + if "_own_" not in perm: + own = False + break # max right reach + return allowed, own + + class Imported(models.Model): imports = models.ManyToManyField( 'Import', blank=True, null=True, diff --git a/ishtar_common/views.py b/ishtar_common/views.py index 94e4c1582..3cd00a6a6 100644 --- a/ishtar_common/views.py +++ b/ishtar_common/views.py @@ -586,47 +586,26 @@ def get_item(model, func_name, default_name, extra_request_keys=[], """ def func(request, data_type='json', full=False, force_own=False, col_names=None, **dct): - # check rights - own = True # more restrictive by default - allowed = False + available_perms = [] if specific_perms: available_perms = specific_perms[:] - else: - available_perms = ['view_' + model.__name__.lower(), - 'view_own_' + model.__name__.lower()] EMPTY = '' if 'type' in dct: data_type = dct.pop('type') if not data_type: EMPTY = '[]' data_type = 'json' - if not request.user.is_authenticated(): + + allowed, own = models.check_model_access_control(request, model, + available_perms) + if not allowed: return HttpResponse(EMPTY, mimetype='text/plain') - if request.user.ishtaruser.has_right('administrator', - session=request.session): - allowed = True - own = False - else: - for perm, lbl in model._meta.permissions: - if perm not in available_perms: - continue - cperm = model._meta.app_label + '.' + perm - if request.user.has_perm(cperm) \ - or cperm in request.user.get_all_permissions() \ - or request.user.ishtaruser.has_right( - perm, session=request.session): - allowed = True - if "_own_" not in perm: - own = False - break # max right reach if force_own: own = True if full == 'shortcut' and 'SHORTCUT_SEARCH' in request.session and \ request.session['SHORTCUT_SEARCH'] == 'own': own = True - if not allowed: - return HttpResponse(EMPTY, mimetype='text/plain') # get defaults from model if not extra_request_keys and hasattr(model, 'EXTRA_REQUEST_KEYS'): |