From a6fecd9a9ea412b743aa689d4fa02c7f15fde322 Mon Sep 17 00:00:00 2001 From: Étienne Loks Date: Mon, 21 Jul 2025 12:56:36 +0200 Subject: 🐛 imports list: fix permissions check MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ishtar_common/views.py | 42 ++++++++++++++++++++---------------------- 1 file changed, 20 insertions(+), 22 deletions(-) (limited to 'ishtar_common/views.py') diff --git a/ishtar_common/views.py b/ishtar_common/views.py index aa47040aa..a4242aa3b 100644 --- a/ishtar_common/views.py +++ b/ishtar_common/views.py @@ -1788,20 +1788,22 @@ class ImportPreFormView(IshtarMixin, LoginRequiredMixin, FormView): return HttpResponseRedirect(self.get_success_url()) -def get_permissions_for_actions( - user, imprt, owns, can_edit_all, can_delete_all, can_edit_own, can_delete_own): - can_edit, can_delete = False, False +def get_permissions_for_actions(user, imprt, owns, permissions): + can_view, can_edit, can_delete = False, False, False is_own = None - if can_edit_own or can_delete_own: # need to check owner + if permissions["can_edit_own"] or permissions["can_delete_own"] \ + or permissions["can_view_own"]: # need to check owner if imprt.importer_type_id not in owns: # "is_own" only query once by importer type owns[imprt.importer_type.pk] = imprt.importer_type.is_own(user.ishtaruser) is_own = owns[imprt.importer_type_id] - if can_edit_all or (can_edit_own and is_own): + if permissions["can_view_all"] or (permissions["can_view_own"] and is_own): + can_view = True + if permissions["can_edit_all"] or (permissions["can_edit_own"] and is_own): can_edit = True - if can_delete_all or (can_delete_own and is_own): + if permissions["can_delete_all"] or (permissions["can_delete_own"] and is_own): can_delete = True - return can_edit, can_delete + return can_view, can_edit, can_delete class ImportListView(IshtarMixin, LoginRequiredMixin, ListView): @@ -1839,15 +1841,15 @@ class ImportListView(IshtarMixin, LoginRequiredMixin, ListView): key=lambda x: (x.end_date or x.creation_date) ) )) - can_edit_all, can_delete_all, can_edit_own, can_delete_own = \ - models.Import.get_permissions_for_actions(user) + permissions = models.Import.get_permissions_for_actions(user) imports = [] owns = {} for imprt in values: - can_edit, can_delete = get_permissions_for_actions( - user, imprt, owns, can_edit_all, - can_delete_all, can_edit_own, can_delete_own + can_view, can_edit, can_delete = get_permissions_for_actions( + user, imprt, owns, permissions ) + if not can_view: + continue imprt.action_list = imprt.get_actions( can_edit=can_edit, can_delete=can_delete ) @@ -1863,8 +1865,7 @@ class ImportListView(IshtarMixin, LoginRequiredMixin, ListView): return imports def post(self, request, *args, **kwargs): - can_edit_all, can_delete_all, can_edit_own, can_delete_own = \ - models.Import.get_permissions_for_actions(request.user) + permissions = models.Import.get_permissions_for_actions(request.user) owns = {} for field in request.POST: if not field.startswith("import-action-") or not request.POST[field]: @@ -1878,9 +1879,8 @@ class ImportListView(IshtarMixin, LoginRequiredMixin, ListView): imprt = model.objects.get(pk=int(field.split("-")[-1])) except (models.Import.DoesNotExist, ValueError): continue - can_edit, can_delete = get_permissions_for_actions( - request.user, imprt, owns, can_edit_all, - can_delete_all, can_edit_own, can_delete_own + can_view, can_edit, can_delete = get_permissions_for_actions( + request.user, imprt, owns, permissions ) action = request.POST[field] if can_delete and action == "D": @@ -2456,11 +2456,9 @@ def import_get_status(request, current_right=None): "number_of_line": item.number_of_line, "progress_percent": item.progress_percent, }) - can_edit_all, can_delete_all, can_edit_own, can_delete_own = \ - models.Import.get_permissions_for_actions(request.user) - can_edit, can_delete = get_permissions_for_actions( - request.user, item, {}, can_edit_all, - can_delete_all, can_edit_own, can_delete_own + permissions = models.Import.get_permissions_for_actions(request.user) + can_view, can_edit, can_delete = get_permissions_for_actions( + request.user, item, {}, permissions ) item_dct["actions"] = [ (key, str(lbl)) -- cgit v1.2.3