From 5b1e6d47258b9a716bd99babb32f832251a0625d Mon Sep 17 00:00:00 2001 From: Étienne Loks Date: Wed, 13 Nov 2024 16:41:53 +0100 Subject: 🐛 fix own permissions for sheets - translation in admin page MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ishtar_common/views_item.py | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) (limited to 'ishtar_common/views_item.py') diff --git a/ishtar_common/views_item.py b/ishtar_common/views_item.py index 0619f8f8a..9f72171b9 100644 --- a/ishtar_common/views_item.py +++ b/ishtar_common/views_item.py @@ -20,7 +20,7 @@ from django.contrib.contenttypes.models import ContentType from django.contrib.gis.geos import GEOSException from django.contrib.staticfiles.templatetags.staticfiles import static from django.core.cache import cache -from django.core.exceptions import ObjectDoesNotExist +from django.core.exceptions import ObjectDoesNotExist, PermissionDenied from django.db.models import ( F, Q, @@ -383,14 +383,19 @@ def show_item(model, name, extra_dct=None, model_for_perms=None, callback=None): check_model = model_for_perms allowed, own = check_model_access_control(request, check_model) if not allowed: - return HttpResponse("", content_type="application/xhtml") + raise PermissionDenied() q = model.objects if own: - if not hasattr(request.user, "ishtaruser"): - return HttpResponse("") + meta = model._meta + if not request.user.has_perm( + f"{meta.app_label}.view_own_{meta.model_name}"): + raise PermissionDenied() + """ + TODO: remove query_own = model.get_query_owns(request.user.ishtaruser) if query_own: q = q.filter(query_own).distinct() + """ doc_type = "type" in dct and dct.pop("type") try: url = reverse("show-" + name, args=["0", ""]) -- cgit v1.2.3