diff options
| -rw-r--r-- | archaeological_context_records/tests.py | 4 | ||||
| -rw-r--r-- | archaeological_files/tests.py | 4 | ||||
| -rw-r--r-- | archaeological_operations/tests.py | 15 | ||||
| -rw-r--r-- | ishtar_common/admin.py | 21 | ||||
| -rw-r--r-- | ishtar_common/tests.py | 16 | ||||
| -rw-r--r-- | ishtar_common/views_item.py | 13 |
6 files changed, 41 insertions, 32 deletions
diff --git a/archaeological_context_records/tests.py b/archaeological_context_records/tests.py index f550d23ce..d15c24a00 100644 --- a/archaeological_context_records/tests.py +++ b/archaeological_context_records/tests.py @@ -550,9 +550,7 @@ class ContextRecordTest(ContextRecordInit, TestCase): obj = self.context_records[0] c = Client() response = c.get(reverse("show-contextrecord", kwargs={"pk": obj.pk})) - self.assertEqual(response.status_code, 200) - # empty content when not allowed - self.assertEqual(response.content, b"") + self.assertEqual(response.status_code, 403) c.login(username=self.username, password=self.password) response = c.get(reverse("show-contextrecord", kwargs={"pk": obj.pk})) diff --git a/archaeological_files/tests.py b/archaeological_files/tests.py index 47d0339e8..17ed5a489 100644 --- a/archaeological_files/tests.py +++ b/archaeological_files/tests.py @@ -243,9 +243,7 @@ class FileTest(TestCase, FileInit): url = "show-file" pk = self.item.pk response = self.client.get(reverse(url, kwargs={"pk": pk})) - self.assertEqual(response.status_code, 200) - # empty content when not allowed - self.assertEqual(response.content.decode(), "") + self.assertEqual(response.status_code, 403) self.login_as_superuser() response = self.client.get(reverse(url, kwargs={"pk": pk})) diff --git a/archaeological_operations/tests.py b/archaeological_operations/tests.py index 41d4a8611..e0c5df3ef 100644 --- a/archaeological_operations/tests.py +++ b/archaeological_operations/tests.py @@ -2351,9 +2351,8 @@ class OperationTest(TestCase, OperationInitTest): c = Client() response = c.get(reverse("show-operation", kwargs={"pk": operation.pk})) - self.assertEqual(response.status_code, 200) - # empty content when not allowed - self.assertEqual(response.content, b"") + # permission denied when not allowed + self.assertEqual(response.status_code, 403) response = c.get(reverse("show-document", kwargs={"pk": source.pk})) self.assertRedirects(response, "/") @@ -2393,9 +2392,8 @@ class OperationTest(TestCase, OperationInitTest): response = c.get( reverse("show-operation", kwargs={"pk": operation.pk, "type": "pdf"}) ) - self.assertEqual(response.status_code, 200) - # empty content when not allowed - self.assertEqual(response.content, b"") + # permission denied when not allowed + self.assertEqual(response.status_code, 403) c.login(username=self.username, password=self.password) response = c.get( reverse("show-operation", kwargs={"pk": operation.pk, "type": "pdf"}) @@ -2417,9 +2415,8 @@ class OperationTest(TestCase, OperationInitTest): response = c.get( reverse("show-operation", kwargs={"pk": operation.pk, "type": "odt"}) ) - self.assertEqual(response.status_code, 200) - # empty content when not allowed - self.assertEqual(response.content, b"") + # permission denied when not allowed + self.assertEqual(response.status_code, 403) c.login(username=self.username, password=self.password) response = c.get( reverse("show-operation", kwargs={"pk": operation.pk, "type": "odt"}) diff --git a/ishtar_common/admin.py b/ishtar_common/admin.py index 91a036ad9..5ca7ef105 100644 --- a/ishtar_common/admin.py +++ b/ishtar_common/admin.py @@ -1694,9 +1694,24 @@ class ProfileTypeAdmin(GeneralTypeAdmin): if permission in permissions_not_needed: permissions_needed.remove(permission) if permissions_needed: - permission_needed = ", ".join( - sorted(set([model for __, model in permissions_needed])) - ) + translations = { + "administrativeact": str(_("administrative act")), + "contextrecord": str(_("context record")), + "document": str(_("document")), + "file": str(_("archaeological file")), + "find": str(_("find")), + "operation": str(_("operation")), + "treatment": str(_("treatment")), + "treatmentfile": str(_("treament file")), + "warehouse": str(_("warehouse")), + "geovectordata": str(_("geographic data")), + } + perm_needed = [] + for p in sorted(set([model for __, model in permissions_needed])): + if p in translations: + p = translations[p] + perm_needed.append(p) + permission_needed = ", ".join(sorted(perm_needed)) messages.add_message( request, messages.ERROR, diff --git a/ishtar_common/tests.py b/ishtar_common/tests.py index 2a8983048..1e4ba7d9c 100644 --- a/ishtar_common/tests.py +++ b/ishtar_common/tests.py @@ -37,7 +37,7 @@ from django.conf import settings from django.contrib.auth.models import User, Permission, Group from django.contrib.contenttypes.models import ContentType from django.contrib.gis.geos import ( - GEOSGeometry, + GEOSGeometry, Point, MultiPoint, LineString, @@ -3479,19 +3479,15 @@ class IshtarBasicTest(TestCase): c = Client() - # empty content when not allowed + # permission denied when not allowed response = c.get(reverse("show-person", kwargs={"pk": person.pk})) - self.assertEqual(response.status_code, 200) - self.assertEqual(response.content.decode("utf-8"), "") + self.assertEqual(response.status_code, 403) response = c.get(reverse("show-organization", kwargs={"pk": company.pk})) - self.assertEqual(response.status_code, 200) - self.assertEqual(response.content.decode("utf-8"), "") + self.assertEqual(response.status_code, 403) response = c.get(reverse("show-town", kwargs={"pk": town.pk})) - self.assertEqual(response.status_code, 200) - self.assertEqual(response.content.decode("utf-8"), "") + self.assertEqual(response.status_code, 403) response = c.get(reverse("show-area", kwargs={"pk": area.pk})) - self.assertEqual(response.status_code, 200) - self.assertEqual(response.content.decode("utf-8"), "") + self.assertEqual(response.status_code, 403) c.login(username=self.my_admin.username, password=self.password) response = c.get(reverse("show-person", kwargs={"pk": person.pk})) diff --git a/ishtar_common/views_item.py b/ishtar_common/views_item.py index 0619f8f8a..9f72171b9 100644 --- a/ishtar_common/views_item.py +++ b/ishtar_common/views_item.py @@ -20,7 +20,7 @@ from django.contrib.contenttypes.models import ContentType from django.contrib.gis.geos import GEOSException from django.contrib.staticfiles.templatetags.staticfiles import static from django.core.cache import cache -from django.core.exceptions import ObjectDoesNotExist +from django.core.exceptions import ObjectDoesNotExist, PermissionDenied from django.db.models import ( F, Q, @@ -383,14 +383,19 @@ def show_item(model, name, extra_dct=None, model_for_perms=None, callback=None): check_model = model_for_perms allowed, own = check_model_access_control(request, check_model) if not allowed: - return HttpResponse("", content_type="application/xhtml") + raise PermissionDenied() q = model.objects if own: - if not hasattr(request.user, "ishtaruser"): - return HttpResponse("") + meta = model._meta + if not request.user.has_perm( + f"{meta.app_label}.view_own_{meta.model_name}"): + raise PermissionDenied() + """ + TODO: remove query_own = model.get_query_owns(request.user.ishtaruser) if query_own: q = q.filter(query_own).distinct() + """ doc_type = "type" in dct and dct.pop("type") try: url = reverse("show-" + name, args=["0", ""]) |