fix group access to info page
This commit is contained in:
parent
73ee17d1e5
commit
41b979b061
2 changed files with 3 additions and 7 deletions
|
@ -197,11 +197,7 @@ class Item(models.Model):
|
|||
allowed_level = settings.CONFIG['capabilities']['canSeeItem'][level]
|
||||
if self.level <= allowed_level:
|
||||
return True
|
||||
elif user.is_authenticated() and \
|
||||
(self.user == user or \
|
||||
self.groups.filter(id__in=user.groups.all()).count() > 0):
|
||||
return True
|
||||
return False
|
||||
return self.editable(user)
|
||||
|
||||
def editable(self, user):
|
||||
if user.is_anonymous():
|
||||
|
|
|
@ -474,11 +474,11 @@ def get(request):
|
|||
if data['keys'] and 'files' in data['keys']:
|
||||
info['files'] = item.get_files(request.user)
|
||||
if not data['keys'] or 'groups' in data['keys'] \
|
||||
and request.user.get_profile().capability('canEditMetadata'):
|
||||
and item.editable(request.user):
|
||||
info['groups'] = [g.name for g in item.groups.all()]
|
||||
for k in settings.CONFIG['itemKeys']:
|
||||
if 'capability' in k \
|
||||
and not (request.user == item.user or has_capability(request.user, k['capability'])) \
|
||||
and not (item.editable(request.user) or has_capability(request.user, k['capability'])) \
|
||||
and k['id'] in info \
|
||||
and k['id'] not in ('parts', 'durations', 'duration'):
|
||||
del info[k['id']]
|
||||
|
|
Loading…
Reference in a new issue