From e1ec2cc7a72a502f9c8cb42b571bdadcad003237 Mon Sep 17 00:00:00 2001
From: Étienne Loks <etienne.loks@iggdrasil.net>
Date: Wed, 29 Mar 2017 19:42:02 +0200
Subject: Access control: collaborators are included in get_own_query for
 operations, context records and finds (refs #3196)

---
 archaeological_context_records/models.py | 1 +
 archaeological_finds/models_finds.py     | 2 ++
 archaeological_operations/models.py      | 6 ++++--
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/archaeological_context_records/models.py b/archaeological_context_records/models.py
index a16b4cae7..bba9c643b 100644
--- a/archaeological_context_records/models.py
+++ b/archaeological_context_records/models.py
@@ -367,6 +367,7 @@ class ContextRecord(BaseHistorizedItem, ImageModel, OwnPerms,
     def get_query_owns(cls, user):
         return (Q(operation__scientist=user.ishtaruser.person) |
                 Q(operation__in_charge=user.ishtaruser.person) |
+                Q(operation__collaborators__pk=user.ishtaruser.person.pk) |
                 Q(history_creator=user)) \
             & Q(operation__end_date__isnull=True)
 
diff --git a/archaeological_finds/models_finds.py b/archaeological_finds/models_finds.py
index cbd13e925..735bc01a8 100644
--- a/archaeological_finds/models_finds.py
+++ b/archaeological_finds/models_finds.py
@@ -872,6 +872,8 @@ class Find(BaseHistorizedItem, ImageModel, OwnPerms, ShortMenuItem):
                  ishtaruser.person) |
                 Q(base_finds__context_record__operation__in_charge=user.
                   ishtaruser.person) |
+                Q(base_finds__context_record__operation__collaborators__pk=user.
+                  ishtaruser.person.pk) |
                 Q(history_creator=user)) \
            & Q(base_finds__context_record__operation__end_date__isnull=True)
 
diff --git a/archaeological_operations/models.py b/archaeological_operations/models.py
index 782f9cf35..13997a632 100644
--- a/archaeological_operations/models.py
+++ b/archaeological_operations/models.py
@@ -572,8 +572,10 @@ class Operation(ClosedItem, BaseHistorizedItem, ImageModel, OwnPerms,
 
     @classmethod
     def get_query_owns(cls, user):
-        return (Q(in_charge=user.ishtaruser.person) |\
-            Q(scientist=user.ishtaruser.person) |\
+        return (
+            Q(in_charge=user.ishtaruser.person) |
+            Q(scientist=user.ishtaruser.person) |
+            Q(collaborators__pk=user.ishtaruser.person.pk) |
             Q(history_creator=user)) & Q(end_date__isnull=True)
 
     def is_active(self):
-- 
cgit v1.2.3