summaryrefslogtreecommitdiff
path: root/ishtar_common/views.py
diff options
context:
space:
mode:
Diffstat (limited to 'ishtar_common/views.py')
-rw-r--r--ishtar_common/views.py31
1 files changed, 5 insertions, 26 deletions
diff --git a/ishtar_common/views.py b/ishtar_common/views.py
index 94e4c1582..3cd00a6a6 100644
--- a/ishtar_common/views.py
+++ b/ishtar_common/views.py
@@ -586,47 +586,26 @@ def get_item(model, func_name, default_name, extra_request_keys=[],
"""
def func(request, data_type='json', full=False, force_own=False,
col_names=None, **dct):
- # check rights
- own = True # more restrictive by default
- allowed = False
+ available_perms = []
if specific_perms:
available_perms = specific_perms[:]
- else:
- available_perms = ['view_' + model.__name__.lower(),
- 'view_own_' + model.__name__.lower()]
EMPTY = ''
if 'type' in dct:
data_type = dct.pop('type')
if not data_type:
EMPTY = '[]'
data_type = 'json'
- if not request.user.is_authenticated():
+
+ allowed, own = models.check_model_access_control(request, model,
+ available_perms)
+ if not allowed:
return HttpResponse(EMPTY, mimetype='text/plain')
- if request.user.ishtaruser.has_right('administrator',
- session=request.session):
- allowed = True
- own = False
- else:
- for perm, lbl in model._meta.permissions:
- if perm not in available_perms:
- continue
- cperm = model._meta.app_label + '.' + perm
- if request.user.has_perm(cperm) \
- or cperm in request.user.get_all_permissions() \
- or request.user.ishtaruser.has_right(
- perm, session=request.session):
- allowed = True
- if "_own_" not in perm:
- own = False
- break # max right reach
if force_own:
own = True
if full == 'shortcut' and 'SHORTCUT_SEARCH' in request.session and \
request.session['SHORTCUT_SEARCH'] == 'own':
own = True
- if not allowed:
- return HttpResponse(EMPTY, mimetype='text/plain')
# get defaults from model
if not extra_request_keys and hasattr(model, 'EXTRA_REQUEST_KEYS'):
generated by cgit v1.2.3 (git 2.39.1) at 2025-10-31 14:39:54 +0000