1 files changed, 25 insertions, 11 deletions

diff --git a/ishtar_common/wizards.py b/ishtar_common/wizards.py
index e41c4c811..1da9b9f4d 100644
--- a/ishtar_common/wizards.py
+++ b/ishtar_common/wizards.py
@@ -35,7 +35,7 @@ from formtools.wizard.views import (
 from django.contrib.sites.models import Site
 from django.core.exceptions import ObjectDoesNotExist
 from django.core.files.images import ImageFile
-from django.core.files.storage import default_storage, FileSystemStorage
+from django.core.files.storage import FileSystemStorage
 from django.core.mail import send_mail
 from django.db.models.fields.files import FileField, ImageFieldFile
 from django.db.models.fields.related import ManyToManyField
@@ -50,7 +50,7 @@ from django.utils.safestring import mark_safe
 
 from ishtar_common import models, models_rest
 from ishtar_common.forms import CustomForm, reverse_lazy
-from ishtar_common.utils import get_all_field_names, get_person_gdpr_log, MultiValueDict, \
+from ishtar_common.utils import get_all_field_names, get_person_gdpr_log, MultiValueDict,\
     put_session_message
 
 logger = logging.getLogger(__name__)
@@ -154,6 +154,7 @@ class Wizard(IshtarWizard):
     label = ""
     translated_keys = []
     modification = None  # True when the wizard modify an item
+    deletion = True  # True on deletion
     storage_name = "formtools.wizard.storage.session.SessionStorage"
     wizard_done_template = "ishtar/wizard/wizard_done.html"
     wizard_done_window = ""
@@ -211,16 +212,9 @@ class Wizard(IshtarWizard):
         self.steps = StepsHelper(self)
 
         current_object = self.get_current_object()
-        ishtaruser = (
-            request.user.ishtaruser if hasattr(request.user, "ishtaruser") else None
-        )
-
         # not the first step and current object is not owned
         if self.steps and self.steps.first != step and current_object:
-            is_own = current_object.is_own(
-                ishtaruser, alt_query_own=self.alt_is_own_method
-            )
-            if not is_own:
+            if not self.verify_permission(request, current_object):
                 messages.add_message(
                     request,
                     messages.WARNING,
@@ -230,6 +224,23 @@ class Wizard(IshtarWizard):
                 return
         return True
 
+    def verify_permission(self, request, current_object=None):
+        meta = self.model._meta
+        perm = f"{meta.app_label}."
+        if self.modification:
+            perm += "change"
+        elif self.deletion:
+            perm += "delete"
+        else:
+            perm += "add"
+        base_perm = f"{perm}_{meta.model_name}"
+        if request.user.has_perm(base_perm):
+            return True
+        if not current_object:
+            return False
+        own_perm = f"{perm}_own_{meta.model_name}"
+        return request.user.has_perm(own_perm, current_object)
+
     def dispatch(self, request, *args, **kwargs):
         self.current_right = kwargs.get("current_right", None)
         step = kwargs.get("step", None)
@@ -241,7 +252,6 @@ class Wizard(IshtarWizard):
             self.filter_owns_items = True
         else:
             self.filter_owns_items = False
-
         return super(Wizard, self).dispatch(request, *args, **kwargs)
 
     def get_prefix(self, request, *args, **kwargs):
@@ -1714,6 +1724,8 @@ class DocumentSearch(SearchWizard):
 
 
 class DeletionWizard(Wizard):
+    deletion = True
+
     def __init__(self, *args, **kwargs):
         if (not hasattr(self, "fields") or not self.fields) and (
             hasattr(self, "model") and hasattr(self.model, "TABLE_COLS")
@@ -1790,6 +1802,8 @@ class MultipleItemWizard(Wizard):
 
 
 class MultipleDeletionWizard(MultipleItemWizard):
+    deletion = True
+
     def __init__(self, *args, **kwargs):
         if (not hasattr(self, "fields") or not self.fields) and (
             hasattr(self, "model") and hasattr(self.model, "TABLE_COLS")