1 files changed, 21 insertions, 19 deletions

diff --git a/ishtar_common/views.py b/ishtar_common/views.py
index c99e78b9c..d3c9e0897 100644
--- a/ishtar_common/views.py
+++ b/ishtar_common/views.py
@@ -586,22 +586,30 @@ def get_item(model, func_name, default_name, extra_request_keys=[],
         # check rights
         own = True  # more restrictive by default
         allowed = False
-        if request.user.is_authenticated() and \
-                request.user.ishtaruser.has_right('administrator',
-                                                  session=request.session):
+        if specific_perms:
+            available_perms = specific_perms[:]
+        else:
+            available_perms = ['view_' + model.__name__.lower(),
+                               'view_own_' + model.__name__.lower()]
+        EMPTY = ''
+        if 'type' in dct:
+            data_type = dct.pop('type')
+        if not data_type:
+            EMPTY = '[]'
+            data_type = 'json'
+        if not request.user.is_authenticated():
+            return HttpResponse(EMPTY, mimetype='text/plain')
+
+        if request.user.ishtaruser.has_right('administrator',
+                                             session=request.session):
             allowed = True
             own = False
         else:
             for perm, lbl in model._meta.permissions:
-                # if not specific any perm is relevant (read right)
-                if specific_perms and perm not in specific_perms:
+                if perm not in available_perms:
                     continue
-                cperm = model._meta.app_label + '.' + perm
-                if request.user.has_perm(cperm)\
-                        or cperm in request.user.get_all_permissions() \
-                        or (request.user.is_authenticated()
-                            and request.user.ishtaruser.has_right(
-                                perm, session=request.session)):
+                if request.user.ishtaruser.has_right(
+                        perm, session=request.session):
                     allowed = True
                     if "_own_" not in perm:
                         own = False
@@ -611,12 +619,6 @@ def get_item(model, func_name, default_name, extra_request_keys=[],
         if full == 'shortcut' and 'SHORTCUT_SEARCH' in request.session and \
                 request.session['SHORTCUT_SEARCH'] == 'own':
             own = True
-        EMPTY = ''
-        if 'type' in dct:
-            data_type = dct.pop('type')
-        if not data_type:
-            EMPTY = '[]'
-            data_type = 'json'
         if not allowed:
             return HttpResponse(EMPTY, mimetype='text/plain')
 
@@ -898,7 +900,6 @@ def get_item(model, func_name, default_name, extra_request_keys=[],
                     table_cols += model.EXTRA_FULL_FIELDS
             else:
                 table_cols = model.TABLE_COLS
-
         query_table_cols = []
         for cols in table_cols:
             if type(cols) not in (list, tuple):
@@ -916,6 +917,7 @@ def get_item(model, func_name, default_name, extra_request_keys=[],
                         model.CONTEXTUAL_TABLE_COLS[contxt][col]
         if full == 'shortcut':
             query_table_cols = ['cached_label']
+            table_cols = ['cached_label']
 
         # manage sort tables
         manual_sort_key = None
@@ -1103,7 +1105,7 @@ def get_item(model, func_name, default_name, extra_request_keys=[],
                         if hasattr(model, 'COL_LINK') and k in model.COL_LINK:
                             value = link_ext_template.format(value, value)
                         res[k] = value
-                if full == 'shortcut':
+                if full == 'shortcut' and 'cached_label' in res:
                     res['value'] = res.pop('cached_label')
                 rows.append(res)
             if full == 'shortcut':