From b97f9e46a2faaa26484ddb1ef76b01602f2f143d Mon Sep 17 00:00:00 2001
From: Étienne Loks <etienne.loks@iggdrasil.net>
Date: Wed, 29 Mar 2017 18:34:24 +0200
Subject: Access control: put back the specific Django user permission check

---
 ishtar_common/views.py | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/ishtar_common/views.py b/ishtar_common/views.py
index d3c9e0897..e483c9476 100644
--- a/ishtar_common/views.py
+++ b/ishtar_common/views.py
@@ -608,8 +608,11 @@ def get_item(model, func_name, default_name, extra_request_keys=[],
             for perm, lbl in model._meta.permissions:
                 if perm not in available_perms:
                     continue
-                if request.user.ishtaruser.has_right(
-                        perm, session=request.session):
+                cperm = model._meta.app_label + '.' + perm
+                if request.user.has_perm(cperm) \
+                        or cperm in request.user.get_all_permissions() \
+                        or request.user.ishtaruser.has_right(
+                            perm, session=request.session):
                     allowed = True
                     if "_own_" not in perm:
                         own = False
-- 
cgit v1.2.3