From f34ee172417215395deb6e6a37648393c2b0e372 Mon Sep 17 00:00:00 2001 From: Étienne Loks Date: Tue, 11 Mar 2025 10:35:43 +0100 Subject: 🐛 permissions: fix own permission for sheets (refs #6183) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ishtar_common/views_item.py | 23 +++++++++-------------- 1 file changed, 9 insertions(+), 14 deletions(-) (limited to 'ishtar_common') diff --git a/ishtar_common/views_item.py b/ishtar_common/views_item.py index 008dbd0eb..9ee5b9040 100644 --- a/ishtar_common/views_item.py +++ b/ishtar_common/views_item.py @@ -507,17 +507,6 @@ def show_item(model, name, extra_dct=None, model_for_perms=None, callback=None): if not allowed: raise PermissionDenied() q = model.objects - if own: - meta = model._meta - if not request.user.has_perm( - f"{meta.app_label}.view_own_{meta.model_name}"): - raise PermissionDenied() - """ - TODO: remove - query_own = model.get_query_owns(request.user.ishtaruser) - if query_own: - q = q.filter(query_own).distinct() - """ doc_type = "type" in dct and dct.pop("type") try: url = reverse("show-" + name, args=["0", ""]) @@ -552,13 +541,19 @@ def show_item(model, name, extra_dct=None, model_for_perms=None, callback=None): return show_source_item(request, pk, model, name, dct, extra_dct) q = q.filter(pk=pk) if not q.count(): - return HttpResponse("") + raise PermissionDenied() + + item = q.all()[0] + + if own: + meta = model._meta + if not request.user.has_perm( + f"{meta.app_label}.view_own_{meta.model_name}", item): + raise PermissionDenied() if callback: callback("show_item", request, doc_type, q) - item = q.all()[0] - # list current perms for perm in Permission.objects.filter( codename__startswith='view_').values_list("codename", flat=True).all(): -- cgit v1.2.3