diff options
Diffstat (limited to 'ishtar_common/wizards.py')
| -rw-r--r-- | ishtar_common/wizards.py | 58 |
1 files changed, 35 insertions, 23 deletions
diff --git a/ishtar_common/wizards.py b/ishtar_common/wizards.py index a439cc014..47355dd06 100644 --- a/ishtar_common/wizards.py +++ b/ishtar_common/wizards.py @@ -23,6 +23,7 @@ import os # from functools import wraps from django.conf import settings +from django.contrib import messages from formtools.wizard.views import NamedUrlWizardView, normalize_name, \ get_storage, StepsHelper @@ -115,6 +116,7 @@ class Wizard(IshtarWizard): ) main_item_select_keys = ('selec-',) formset_pop_deleted = True + alt_is_own_method = None # alternate method name for "is_own" check saved_args = {} # argument to pass on object save @@ -145,29 +147,39 @@ class Wizard(IshtarWizard): form, other_check) return kwargs + def check_own_permissions(self, request, step=None, *args, **kwargs): + # reinit default dispatch of a wizard - not clean... + self.request = request + self.session = request.session + self.prefix = self.get_prefix(request, *args, **kwargs) + self.storage = get_storage( + self.storage_name, self.prefix, request, + getattr(self, 'file_storage', None)) + self.steps = StepsHelper(self) + + current_object = self.get_current_object() + ishtaruser = request.user.ishtaruser \ + if hasattr(request.user, 'ishtaruser') else None + + # not the first step and current object is not owned + if self.steps and self.steps.first != step and current_object: + is_own = current_object.is_own( + ishtaruser, alt_query_own=self.alt_is_own_method) + if not is_own: + messages.add_message( + request, messages.WARNING, + _(u"Permission error: you cannot do this action.") + ) + self.session_reset(request, self.url_name) + return + return True + def dispatch(self, request, *args, **kwargs): self.current_right = kwargs.get('current_right', None) step = kwargs.get('step', None) # check that the current object is really owned by the current user if step and self.current_right and '_own_' in self.current_right: - - # reinit default dispatch of a wizard - not clean... - self.request = request - self.session = request.session - self.prefix = self.get_prefix(request, *args, **kwargs) - self.storage = get_storage( - self.storage_name, self.prefix, request, - getattr(self, 'file_storage', None)) - self.steps = StepsHelper(self) - - current_object = self.get_current_object() - ishtaruser = request.user.ishtaruser \ - if hasattr(request.user, 'ishtaruser') else None - - # not the fisrt step and current object is not owned - if self.steps and self.steps.first != step and\ - current_object and not current_object.is_own(ishtaruser): - self.session_reset(request, self.url_name) + if not self.check_own_permissions(request, *args, **kwargs): return HttpResponseRedirect('/') # extra filter on forms self.filter_owns_items = True @@ -439,7 +451,7 @@ class Wizard(IshtarWizard): datas.append((form.form_label, form_datas)) return datas - def get_extra_model(self, dct, form_list): + def get_extra_model(self, dct, m2m, form_list): dct['history_modifier'] = self.request.user return dct @@ -552,7 +564,7 @@ class Wizard(IshtarWizard): def save_model(self, dct, m2m, whole_associated_models, form_list, return_object): - dct = self.get_extra_model(dct, form_list) + dct = self.get_extra_model(dct, m2m, form_list) obj = self.get_current_saved_object() data = {} if obj and hasattr(obj, 'data'): @@ -1181,7 +1193,7 @@ class Wizard(IshtarWizard): return vals def get_current_object(self): - """Get the current object for an instancied wizard""" + """Get the current object for an instanced wizard""" current_obj = None for key in self.main_item_select_keys: main_form_key = key + self.url_name @@ -1787,8 +1799,8 @@ class AccountWizard(Wizard): class SourceWizard(Wizard): model = None - def get_extra_model(self, dct, form_list): - dct = super(SourceWizard, self).get_extra_model(dct, form_list) + def get_extra_model(self, dct, m2m, form_list): + dct = super(SourceWizard, self).get_extra_model(dct, m2m, form_list) if 'history_modifier' in dct: dct.pop('history_modifier') return dct |