5 files changed, 44 insertions, 9 deletions
diff --git a/ishtar_common/forms.py b/ishtar_common/forms.py
index ffe44298c..f0e900208 100644
--- a/ishtar_common/forms.py
+++ b/ishtar_common/forms.py
@@ -1292,7 +1292,7 @@ class QAForm(CustomForm, ManageOldType):
     def __init__(self, *args, **kwargs):
         self.items = kwargs.pop("items")
         self.confirm = kwargs.pop("confirm")
-        super(QAForm, self).__init__(*args, **kwargs)
+        super().__init__(*args, **kwargs)
         len_items = len(self.items)
         for k in list(self.fields.keys()):
             if self.MULTI and len_items > 1 and k in self.SINGLE_FIELDS:
@@ -1338,7 +1338,7 @@ class QAForm(CustomForm, ManageOldType):
         value = self.cleaned_data[base_key]
         if not value:
             return
-        key = base_key[len(self.PREFIX) :]
+        key = base_key[len(self.PREFIX):]
         field = item._meta.get_field(key)
         if getattr(field, "related_model", None):
             is_list = isinstance(value, (list, tuple))
@@ -1389,7 +1389,21 @@ class QAForm(CustomForm, ManageOldType):
         return value
 
     def save(self, items, user):
+        if not items or not user.ishtaruser:
+            return
+        model = items[0].__class__._meta
+        full_permission = f"{model.app_label}.change_{model.model_name}"
+        own_permission = f"{model.app_label}.change_own_{model.model_name}"
+        has_full_permission = user.ishtaruser.has_permission(full_permission)
+        if not has_full_permission:
+            if not user.ishtaruser.has_permission(own_permission):
+                return _("You don't have sufficient permissions to do this action.")
+        errors = []
         for item in items:
+            if not has_full_permission:
+                if not user.ishtaruser.has_permission(own_permission, item):
+                    errors.append(str(item))
+                    continue
             for base_key in self.cleaned_data:
                 if hasattr(self, "_set_" + base_key):
                     getattr(self, "_set_" + base_key)(item, user)
@@ -1398,6 +1412,11 @@ class QAForm(CustomForm, ManageOldType):
             item.history_modifier = user
             item._cached_label_checked = False
             item.save()
+        if not errors:
+            return
+        msg = str(_("You don't have sufficient permissions to edit: "))
+        msg2 = str(_("Other changes (if any) have been made successfully."))
+        return f"{msg}{' ; '.join(errors)}. {msg2}"
 
 
 class DocumentGenerationForm(forms.Form):
diff --git a/ishtar_common/templates/ishtar/forms/success.html b/ishtar_common/templates/ishtar/forms/success.html
index e18efd605..963273276 100644
--- a/ishtar_common/templates/ishtar/forms/success.html
+++ b/ishtar_common/templates/ishtar/forms/success.html
@@ -24,7 +24,11 @@ $(document).ready(function(){
             </button>
         </div>
         <div class="modal-body form-row">
-            {% trans "Changes made successfully. It may be necessary to refresh the sheet." %}
+            {% if message %}
+            {{ message }}
+            {% else %}
+            {% trans "Changes made successfully. It may be necessary to refresh the table/sheet." %}
+            {% endif %}
         </div>
     </div>
 </div>
diff --git a/ishtar_common/urls.py b/ishtar_common/urls.py
index cbf31abc3..f3e22ac5d 100644
--- a/ishtar_common/urls.py
+++ b/ishtar_common/urls.py
@@ -357,7 +357,7 @@ urlpatterns = [
     url(r"^alerts/$", views.AlertList.as_view(), name="alert-list"),
     url(
         r"^success(?:/(?P<context>[a-z-]+)(?:/(?P<arg>[0-9a-z-|]+))?)?/$",
-        TemplateView.as_view(template_name="ishtar/forms/success.html"),
+        views.SuccessView.as_view(),
         name="success",
     ),
 ]
diff --git a/ishtar_common/views.py b/ishtar_common/views.py
index 1f7ffede7..8d0b70b2f 100644
--- a/ishtar_common/views.py
+++ b/ishtar_common/views.py
@@ -3010,6 +3010,17 @@ class SearchQueryEdit(SearchQueryMixin, LoginRequiredMixin, FormView):
         return reverse("success", args=["bookmark"])
 
 
+class SuccessView(TemplateView):
+    template_name = "ishtar/forms/success.html"
+
+    def get_context_data(self, **kwargs):
+        data = super().get_context_data(**kwargs)
+        msg = self.request.GET.get("message")
+        if msg:
+            data["message"] = urllib.parse.unquote(msg)
+        return data
+
+
 class BookmarkList(
     SearchQueryMixin, JSONResponseMixin, LoginRequiredMixin, TemplateView
 ):
@@ -3251,8 +3262,11 @@ class QAItemEditForm(QAItemForm):
         return self.form_save(form)
 
     def form_save(self, form):
-        form.save(self.items, self.request.user)
-        return HttpResponseRedirect(reverse("success"))
+        message = form.save(self.items, self.request.user)
+        extra_args = ""
+        if message:
+            extra_args = "?message=" + urllib.parse.quote(message)
+        return HttpResponseRedirect(reverse("success") + extra_args)
 
 
 class QABaseLockView(QAItemForm):
diff --git a/locale/fr/LC_MESSAGES/django.po b/locale/fr/LC_MESSAGES/django.po
index ce26be46c..a2771818f 100644
--- a/locale/fr/LC_MESSAGES/django.po
+++ b/locale/fr/LC_MESSAGES/django.po
@@ -15316,10 +15316,8 @@ msgid "Profile(s)"
 msgstr "Profil(s)"
 
 #: ishtar_common/templates/ishtar/sheet_ishtaruser.html:79
-#, fuzzy
-#| msgid "Permissions"
 msgid "Permission(s)"
-msgstr "Permissions"
+msgstr "Permission(s)"
 
 #: ishtar_common/templates/ishtar/sheet_ishtaruser.html:91
 msgid "Account administrator: all permissions are granted."