From 819c4386b554545ddcb5bddce6413e078335e7e4 Mon Sep 17 00:00:00 2001
From: Étienne Loks <etienne.loks@iggdrasil.net>
Date: Fri, 10 Jan 2025 15:56:33 +0100
Subject: 🐛 permissions: manage quick add/modify forms (fix #6101)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 ishtar_common/widgets.py | 41 ++++++++++++++++++++++++++++++-----------
 1 file changed, 30 insertions(+), 11 deletions(-)

(limited to 'ishtar_common/widgets.py')

diff --git a/ishtar_common/widgets.py b/ishtar_common/widgets.py
index b9166f361..992ae533d 100644
--- a/ishtar_common/widgets.py
+++ b/ishtar_common/widgets.py
@@ -709,6 +709,7 @@ class JQueryAutoComplete(forms.TextInput):
         self.source = source
         self.associated_model = associated_model
         self.tips = tips
+        self.user = None
 
         self.options = None
         if options and len(options) > 0:
@@ -849,16 +850,34 @@ class JQueryAutoComplete(forms.TextInput):
                 """.format(
                     attrs_hidden["id"], tips
                 )
-            if self.modify:
-                new += """
-                <span class="input-group-append">
-                <a href="#" id="{}-modify" class="modify-button input-group-text"
-                    onclick="{}_modify();">
-                    <i class="fa fa-pencil"></i></a>
-                </span>""".format(
-                    attrs_hidden["id"], name.replace("-", "_")
-                )
-            if self.new:
+            meta = ""
+            if self.associated_model:
+                meta = self.associated_model._meta
+            base_permission = f"{meta.app_label}.{{}}_{meta.model_name}"
+            permission = base_permission.format("change")
+            own_permission = base_permission.format("change_own")
+            if self.modify and self.associated_model and self.user:
+                modify_ok = False
+                if self.user.has_permission(permission):
+                    modify_ok = True
+                else:
+                    try:
+                        obj = self.associated_model.objects.get(pk=attrs_hidden["id"])
+                        modify_ok = self.user.has_permission(own_permission, obj)
+                    except self.associated_model.DoesNotExist:
+                        pass
+                if modify_ok:
+                    new += """
+                    <span class="input-group-append">
+                    <a href="#" id="{}-modify" class="modify-button input-group-text"
+                        onclick="{}_modify();">
+                        <i class="fa fa-pencil"></i></a>
+                    </span>""".format(
+                        attrs_hidden["id"], name.replace("-", "_")
+                    )
+            permission = base_permission.format("add")
+            if self.new and self.associated_model and self.user and \
+                    self.user.has_permission(permission):
                 limits = []
                 for k in self.limit:
                     limits.append(k + "__" + "-".join([str(v) for v in self.limit[k]]))
@@ -875,7 +894,7 @@ class JQueryAutoComplete(forms.TextInput):
                     onclick="dt_qa_open('{}', 'modal-dynamic-form-{}');">+</a>
                 </span>
                 """.format(
-                    url_new, model_name, model_name
+                    url_new, model_name
                 )
             new += "</div>"
         detail = ""
-- 
cgit v1.2.3