From 6d690a9d3a873d98bb0da72a2b7e860b4dc3bbd3 Mon Sep 17 00:00:00 2001
From: Étienne Loks <etienne.loks@iggdrasil.net>
Date: Tue, 4 Feb 2025 16:19:19 +0100
Subject: 🐛 prevent bulk update when no permission is set (refs #6098)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 ishtar_common/forms.py | 23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

(limited to 'ishtar_common/forms.py')

diff --git a/ishtar_common/forms.py b/ishtar_common/forms.py
index ffe44298c..f0e900208 100644
--- a/ishtar_common/forms.py
+++ b/ishtar_common/forms.py
@@ -1292,7 +1292,7 @@ class QAForm(CustomForm, ManageOldType):
     def __init__(self, *args, **kwargs):
         self.items = kwargs.pop("items")
         self.confirm = kwargs.pop("confirm")
-        super(QAForm, self).__init__(*args, **kwargs)
+        super().__init__(*args, **kwargs)
         len_items = len(self.items)
         for k in list(self.fields.keys()):
             if self.MULTI and len_items > 1 and k in self.SINGLE_FIELDS:
@@ -1338,7 +1338,7 @@ class QAForm(CustomForm, ManageOldType):
         value = self.cleaned_data[base_key]
         if not value:
             return
-        key = base_key[len(self.PREFIX) :]
+        key = base_key[len(self.PREFIX):]
         field = item._meta.get_field(key)
         if getattr(field, "related_model", None):
             is_list = isinstance(value, (list, tuple))
@@ -1389,7 +1389,21 @@ class QAForm(CustomForm, ManageOldType):
         return value
 
     def save(self, items, user):
+        if not items or not user.ishtaruser:
+            return
+        model = items[0].__class__._meta
+        full_permission = f"{model.app_label}.change_{model.model_name}"
+        own_permission = f"{model.app_label}.change_own_{model.model_name}"
+        has_full_permission = user.ishtaruser.has_permission(full_permission)
+        if not has_full_permission:
+            if not user.ishtaruser.has_permission(own_permission):
+                return _("You don't have sufficient permissions to do this action.")
+        errors = []
         for item in items:
+            if not has_full_permission:
+                if not user.ishtaruser.has_permission(own_permission, item):
+                    errors.append(str(item))
+                    continue
             for base_key in self.cleaned_data:
                 if hasattr(self, "_set_" + base_key):
                     getattr(self, "_set_" + base_key)(item, user)
@@ -1398,6 +1412,11 @@ class QAForm(CustomForm, ManageOldType):
             item.history_modifier = user
             item._cached_label_checked = False
             item.save()
+        if not errors:
+            return
+        msg = str(_("You don't have sufficient permissions to edit: "))
+        msg2 = str(_("Other changes (if any) have been made successfully."))
+        return f"{msg}{' ; '.join(errors)}. {msg2}"
 
 
 class DocumentGenerationForm(forms.Form):
-- 
cgit v1.2.3