summaryrefslogtreecommitdiff
path: root/ishtar_common/views_item.py
diff options
context:
space:
mode:
Diffstat (limited to 'ishtar_common/views_item.py')
-rw-r--r--ishtar_common/views_item.py13
1 files changed, 9 insertions, 4 deletions
diff --git a/ishtar_common/views_item.py b/ishtar_common/views_item.py
index 0619f8f8a..9f72171b9 100644
--- a/ishtar_common/views_item.py
+++ b/ishtar_common/views_item.py
@@ -20,7 +20,7 @@ from django.contrib.contenttypes.models import ContentType
from django.contrib.gis.geos import GEOSException
from django.contrib.staticfiles.templatetags.staticfiles import static
from django.core.cache import cache
-from django.core.exceptions import ObjectDoesNotExist
+from django.core.exceptions import ObjectDoesNotExist, PermissionDenied
from django.db.models import (
F,
Q,
@@ -383,14 +383,19 @@ def show_item(model, name, extra_dct=None, model_for_perms=None, callback=None):
check_model = model_for_perms
allowed, own = check_model_access_control(request, check_model)
if not allowed:
- return HttpResponse("", content_type="application/xhtml")
+ raise PermissionDenied()
q = model.objects
if own:
- if not hasattr(request.user, "ishtaruser"):
- return HttpResponse("")
+ meta = model._meta
+ if not request.user.has_perm(
+ f"{meta.app_label}.view_own_{meta.model_name}"):
+ raise PermissionDenied()
+ """
+ TODO: remove
query_own = model.get_query_owns(request.user.ishtaruser)
if query_own:
q = q.filter(query_own).distinct()
+ """
doc_type = "type" in dct and dct.pop("type")
try:
url = reverse("show-" + name, args=["0", ""])
generated by cgit v1.2.3 (git 2.39.1) at 2025-10-16 16:36:19 +0000