diff options
| -rw-r--r-- | ishtar_common/models.py | 2 | ||||
| -rw-r--r-- | ishtar_common/views.py | 12 |
2 files changed, 11 insertions, 3 deletions
diff --git a/ishtar_common/models.py b/ishtar_common/models.py index 77b4ed335..f1de8c60a 100644 --- a/ishtar_common/models.py +++ b/ishtar_common/models.py @@ -125,7 +125,7 @@ def check_model_access_control(request, model, available_perms=None): if "_own_" not in perm: own = False break # max right reach - return allowed, own + return allowed, own class Imported(models.Model): diff --git a/ishtar_common/views.py b/ishtar_common/views.py index 3cd00a6a6..f185576ea 100644 --- a/ishtar_common/views.py +++ b/ishtar_common/views.py @@ -1192,10 +1192,18 @@ def display_item(model, extra_dct=None, show_url=None): def show_item(model, name, extra_dct=None): def func(request, pk, **dct): + allowed, own = models.check_model_access_control(request, model) + if not allowed: + return HttpResponse('', content_type="application/xhtml") + q = model.objects + if own: + query_own = model.get_query_owns(request.user) + if query_own: + q = q.filter(query_own) try: - item = model.objects.get(pk=pk) + item = q.get(pk=pk) except ObjectDoesNotExist: - return HttpResponse(None) + return HttpResponse('NOK') doc_type = 'type' in dct and dct.pop('type') url_name = u"/".join(reverse('show-' + name, args=['0', ''] ).split('/')[:-2]) + u"/" |