diff options
Diffstat (limited to 'ishtar_common')
| -rw-r--r-- | ishtar_common/wizards.py | 54 |
1 files changed, 29 insertions, 25 deletions
diff --git a/ishtar_common/wizards.py b/ishtar_common/wizards.py index 19eb312e1..446afc71e 100644 --- a/ishtar_common/wizards.py +++ b/ishtar_common/wizards.py @@ -147,36 +147,40 @@ class Wizard(IshtarWizard): form, other_check) return kwargs + def check_own_permissions(self, request, step, *args, **kwargs): + # reinit default dispatch of a wizard - not clean... + self.request = request + self.session = request.session + self.prefix = self.get_prefix(request, *args, **kwargs) + self.storage = get_storage( + self.storage_name, self.prefix, request, + getattr(self, 'file_storage', None)) + self.steps = StepsHelper(self) + + current_object = self.get_current_object() + ishtaruser = request.user.ishtaruser \ + if hasattr(request.user, 'ishtaruser') else None + + # not the first step and current object is not owned + if self.steps and self.steps.first != step and current_object: + is_own = current_object.is_own( + ishtaruser, alt_query_own=self.alt_is_own_method) + if not is_own: + messages.add_message( + request, messages.WARNING, + _(u"Permission error: you cannot do this action.") + ) + self.session_reset(request, self.url_name) + return + return True + def dispatch(self, request, *args, **kwargs): self.current_right = kwargs.get('current_right', None) step = kwargs.get('step', None) # check that the current object is really owned by the current user if step and self.current_right and '_own_' in self.current_right: - - # reinit default dispatch of a wizard - not clean... - self.request = request - self.session = request.session - self.prefix = self.get_prefix(request, *args, **kwargs) - self.storage = get_storage( - self.storage_name, self.prefix, request, - getattr(self, 'file_storage', None)) - self.steps = StepsHelper(self) - - current_object = self.get_current_object() - ishtaruser = request.user.ishtaruser \ - if hasattr(request.user, 'ishtaruser') else None - - # not the first step and current object is not owned - if self.steps and self.steps.first != step and current_object: - is_own = current_object.is_own( - ishtaruser, alt_query_own=self.alt_is_own_method) - if not is_own: - messages.add_message( - request, messages.WARNING, - _(u"Permission error: you cannot do this action.") - ) - self.session_reset(request, self.url_name) - return HttpResponseRedirect('/') + if not self.check_permissions(request, step, *args, **kwargs): + return HttpResponseRedirect('/') # extra filter on forms self.filter_owns_items = True else: |