1 files changed, 14 insertions, 4 deletions

diff --git a/ishtar_common/wizards.py b/ishtar_common/wizards.py
index 5f3da1130..9e77a0dda 100644
--- a/ishtar_common/wizards.py
+++ b/ishtar_common/wizards.py
@@ -43,7 +43,8 @@ from django.utils.safestring import mark_safe
 
 from ishtar_common import models
 from ishtar_common.forms import CustomForm, reverse_lazy
-from ishtar_common.utils import get_all_field_names, MultiValueDict
+from ishtar_common.utils import get_all_field_names, MultiValueDict, \
+    put_session_message
 
 logger = logging.getLogger(__name__)
 
@@ -69,6 +70,11 @@ def check_rights(rights=[], redirect_url='/'):
                                                          request.session):
                         kwargs['current_right'] = right
                         return view_func(request, *args, **kwargs)
+            put_session_message(
+                request.session.session_key,
+                _(u"You don't have sufficient permissions to do this action."),
+                'warning'
+            )
             return HttpResponseRedirect(redirect_url)
         return _wrapped_view
     return decorator
@@ -110,6 +116,8 @@ def _check_right(step, condition=True):
 
 def filter_no_fields_form(form, other_check=None):
     def func(self):
+        if not hasattr(self.request.user, 'ishtaruser'):
+            return False
         if issubclass(form, CustomForm):
             enabled, exc = form.check_availability_and_excluded_fields(
                 self.request.user.ishtaruser)
@@ -184,9 +192,11 @@ class Wizard(NamedUrlWizardView):
             self.steps = StepsHelper(self)
 
             current_object = self.get_current_object()
+            ishtaruser = request.user.ishtaruser \
+                if hasattr(request.user, 'ishtaruser') else None
             # not the fisrt step and current object is not owned
             if self.steps and self.steps.first != step and\
-                    current_object and not current_object.is_own(request.user):
+                    current_object and not current_object.is_own(ishtaruser):
                 self.session_reset(request, self.url_name)
                 return HttpResponseRedirect('/')
             # extra filter on forms
@@ -206,8 +216,8 @@ class Wizard(NamedUrlWizardView):
     def get_prefix(self, request, *args, **kwargs):
         """As the class name can interfere when reused prefix with the url_name
         """
-        return self.url_name + super(Wizard, self).get_prefix(
-            request, *args, **kwargs)
+        return self.url_name + super(Wizard, self).get_prefix(request, *args,
+                                                              **kwargs)
 
     def get_wizard_name(self):
         """As the class name can interfere when reused, use the url_name"""