1 files changed, 17 insertions, 1 deletions

diff --git a/ishtar_common/views.py b/ishtar_common/views.py
index 7963dc46a..e02ed3f8b 100644
--- a/ishtar_common/views.py
+++ b/ishtar_common/views.py
@@ -188,11 +188,25 @@ HIERARCHIC_FIELDS = ['periods', 'period', 'unit', 'material_type',
 PRIVATE_FIELDS = ('id', 'history_modifier', 'order')
 def get_item(model, func_name, default_name, extra_request_keys=[],
             base_request={}, bool_fields=[], reversed_bool_fields=[],
-            dated_fields=[], associated_models=[], relative_session_names={}):
+            dated_fields=[], associated_models=[], relative_session_names={},
+            specific_perms=[]):
     """
     Generic treatment of tables
     """
     def func(request, data_type='json', full=False, **dct):
+        # check rights
+        own = True # more restrictive by default
+        allowed = False
+        for perm, lbl in model._meta.permissions:
+            # if not specific any perm is relevant (read right)
+            if specific_perms and perm not in specific_perms:
+                continue
+            if request.user.has_perm(perm):
+                allowed = True
+                if "_own_" not in perm:
+                    own = False
+        if not allowed:
+            return HttpResponse(None, mimetype='text/plain')
         if 'type' in dct:
             data_type = dct.pop('type')
         if not data_type:
@@ -288,6 +302,8 @@ def get_item(model, func_name, default_name, extra_request_keys=[],
                     and_reqs.append(reqs)
                     break
         query = Q(**dct)
+        if own:
+            query = query & model.get_query_own(request.user)
         for k, or_req in or_reqs:
             alt_dct = dct.copy()
             alt_dct.pop(k)