diff options
Diffstat (limited to 'ishtar_common/views.py')
| -rw-r--r-- | ishtar_common/views.py | 68 |
1 files changed, 32 insertions, 36 deletions
diff --git a/ishtar_common/views.py b/ishtar_common/views.py index e8a2c9e12..f185576ea 100644 --- a/ishtar_common/views.py +++ b/ishtar_common/views.py @@ -63,6 +63,8 @@ from archaeological_finds.models import Find, Treatment, TreatmentFile, \ from archaeological_operations.forms import DashboardForm as DashboardFormOpe from archaeological_files.forms import DashboardForm as DashboardFormFile +from archaeological_finds.forms import DashboardTreatmentForm, \ + DashboardTreatmentFileForm from ishtar_common.forms import FinalForm, FinalDeleteForm from ishtar_common.widgets import JQueryAutoComplete @@ -584,47 +586,26 @@ def get_item(model, func_name, default_name, extra_request_keys=[], """ def func(request, data_type='json', full=False, force_own=False, col_names=None, **dct): - # check rights - own = True # more restrictive by default - allowed = False + available_perms = [] if specific_perms: available_perms = specific_perms[:] - else: - available_perms = ['view_' + model.__name__.lower(), - 'view_own_' + model.__name__.lower()] EMPTY = '' if 'type' in dct: data_type = dct.pop('type') if not data_type: EMPTY = '[]' data_type = 'json' - if not request.user.is_authenticated(): + + allowed, own = models.check_model_access_control(request, model, + available_perms) + if not allowed: return HttpResponse(EMPTY, mimetype='text/plain') - if request.user.ishtaruser.has_right('administrator', - session=request.session): - allowed = True - own = False - else: - for perm, lbl in model._meta.permissions: - if perm not in available_perms: - continue - cperm = model._meta.app_label + '.' + perm - if request.user.has_perm(cperm) \ - or cperm in request.user.get_all_permissions() \ - or request.user.ishtaruser.has_right( - perm, session=request.session): - allowed = True - if "_own_" not in perm: - own = False - break # max right reach if force_own: own = True if full == 'shortcut' and 'SHORTCUT_SEARCH' in request.session and \ request.session['SHORTCUT_SEARCH'] == 'own': own = True - if not allowed: - return HttpResponse(EMPTY, mimetype='text/plain') # get defaults from model if not extra_request_keys and hasattr(model, 'EXTRA_REQUEST_KEYS'): @@ -1211,10 +1192,18 @@ def display_item(model, extra_dct=None, show_url=None): def show_item(model, name, extra_dct=None): def func(request, pk, **dct): + allowed, own = models.check_model_access_control(request, model) + if not allowed: + return HttpResponse('', content_type="application/xhtml") + q = model.objects + if own: + query_own = model.get_query_owns(request.user) + if query_own: + q = q.filter(query_own) try: - item = model.objects.get(pk=pk) + item = q.get(pk=pk) except ObjectDoesNotExist: - return HttpResponse(None) + return HttpResponse('NOK') doc_type = 'type' in dct and dct.pop('type') url_name = u"/".join(reverse('show-' + name, args=['0', ''] ).split('/')[:-2]) + u"/" @@ -1458,7 +1447,11 @@ def dashboard_main(request, dct, obj_id=None, *args, **kwargs): return render_to_response('ishtar/dashboards/dashboard_main.html', dct, context_instance=RequestContext(request)) -DASHBOARD_FORMS = {'files': DashboardFormFile, 'operations': DashboardFormOpe} +DASHBOARD_FORMS = { + 'files': DashboardFormFile, 'operations': DashboardFormOpe, + 'treatments': DashboardTreatmentForm, + 'treatmentfiles': DashboardTreatmentFileForm +} def dashboard_main_detail(request, item_name): @@ -1473,8 +1466,11 @@ def dashboard_main_detail(request, item_name): form = None slicing, date_source, fltr, show_detail = 'year', None, {}, False profile = models.get_current_profile() - if (item_name == 'files' and profile.files) \ - or item_name == 'operations': + has_form = (item_name == 'files' and profile.files) \ + or item_name == 'operations' \ + or (item_name in ('treatmentfiles', 'treatments') + and profile.warehouse) + if has_form: slicing = 'month' if item_name in DASHBOARD_FORMS: if request.method == 'POST': @@ -1490,8 +1486,7 @@ def dashboard_main_detail(request, item_name): form = DASHBOARD_FORMS[item_name]() lbl, dashboard = None, None dashboard_kwargs = {} - if (item_name == 'files' and profile.files) \ - or item_name == 'operations': + if has_form: dashboard_kwargs = {'slice': slicing, 'fltr': fltr, 'show_detail': show_detail} # date_source is only relevant when the form has set one @@ -1515,12 +1510,13 @@ def dashboard_main_detail(request, item_name): elif item_name == 'treatmentfiles' and profile.warehouse: lbl, dashboard = ( _(u"Treatment requests"), - models.Dashboard(TreatmentFile, slice=slicing, fltr=fltr)) + models.Dashboard(TreatmentFile, **dashboard_kwargs)) elif item_name == 'treatments' and profile.warehouse: + if 'date_source' not in dashboard_kwargs: + dashboard_kwargs['date_source'] = 'start' lbl, dashboard = ( _(u"Treatments"), - models.Dashboard(Treatment, slice=slicing, fltr=fltr, - date_source='start')) + models.Dashboard(Treatment, **dashboard_kwargs)) if not lbl: raise Http404 dct = {'lbl': lbl, 'dashboard': dashboard, |