From 6f59b9e36a0971b3deb44562062a878eb26beedf Mon Sep 17 00:00:00 2001 From: Étienne Loks Date: Wed, 23 Oct 2024 18:51:15 +0200 Subject: ✨ permissions refactoring: generate permissions, adapt permissions checks MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ishtar_common/wizards.py | 36 +++++++++++++++++++++++++----------- 1 file changed, 25 insertions(+), 11 deletions(-) (limited to 'ishtar_common/wizards.py') diff --git a/ishtar_common/wizards.py b/ishtar_common/wizards.py index e41c4c811..1da9b9f4d 100644 --- a/ishtar_common/wizards.py +++ b/ishtar_common/wizards.py @@ -35,7 +35,7 @@ from formtools.wizard.views import ( from django.contrib.sites.models import Site from django.core.exceptions import ObjectDoesNotExist from django.core.files.images import ImageFile -from django.core.files.storage import default_storage, FileSystemStorage +from django.core.files.storage import FileSystemStorage from django.core.mail import send_mail from django.db.models.fields.files import FileField, ImageFieldFile from django.db.models.fields.related import ManyToManyField @@ -50,7 +50,7 @@ from django.utils.safestring import mark_safe from ishtar_common import models, models_rest from ishtar_common.forms import CustomForm, reverse_lazy -from ishtar_common.utils import get_all_field_names, get_person_gdpr_log, MultiValueDict, \ +from ishtar_common.utils import get_all_field_names, get_person_gdpr_log, MultiValueDict,\ put_session_message logger = logging.getLogger(__name__) @@ -154,6 +154,7 @@ class Wizard(IshtarWizard): label = "" translated_keys = [] modification = None # True when the wizard modify an item + deletion = True # True on deletion storage_name = "formtools.wizard.storage.session.SessionStorage" wizard_done_template = "ishtar/wizard/wizard_done.html" wizard_done_window = "" @@ -211,16 +212,9 @@ class Wizard(IshtarWizard): self.steps = StepsHelper(self) current_object = self.get_current_object() - ishtaruser = ( - request.user.ishtaruser if hasattr(request.user, "ishtaruser") else None - ) - # not the first step and current object is not owned if self.steps and self.steps.first != step and current_object: - is_own = current_object.is_own( - ishtaruser, alt_query_own=self.alt_is_own_method - ) - if not is_own: + if not self.verify_permission(request, current_object): messages.add_message( request, messages.WARNING, @@ -230,6 +224,23 @@ class Wizard(IshtarWizard): return return True + def verify_permission(self, request, current_object=None): + meta = self.model._meta + perm = f"{meta.app_label}." + if self.modification: + perm += "change" + elif self.deletion: + perm += "delete" + else: + perm += "add" + base_perm = f"{perm}_{meta.model_name}" + if request.user.has_perm(base_perm): + return True + if not current_object: + return False + own_perm = f"{perm}_own_{meta.model_name}" + return request.user.has_perm(own_perm, current_object) + def dispatch(self, request, *args, **kwargs): self.current_right = kwargs.get("current_right", None) step = kwargs.get("step", None) @@ -241,7 +252,6 @@ class Wizard(IshtarWizard): self.filter_owns_items = True else: self.filter_owns_items = False - return super(Wizard, self).dispatch(request, *args, **kwargs) def get_prefix(self, request, *args, **kwargs): @@ -1714,6 +1724,8 @@ class DocumentSearch(SearchWizard): class DeletionWizard(Wizard): + deletion = True + def __init__(self, *args, **kwargs): if (not hasattr(self, "fields") or not self.fields) and ( hasattr(self, "model") and hasattr(self.model, "TABLE_COLS") @@ -1790,6 +1802,8 @@ class MultipleItemWizard(Wizard): class MultipleDeletionWizard(MultipleItemWizard): + deletion = True + def __init__(self, *args, **kwargs): if (not hasattr(self, "fields") or not self.fields) and ( hasattr(self, "model") and hasattr(self.model, "TABLE_COLS") -- cgit v1.2.3