fix group access to info page

This commit is contained in:
j 2013-07-15 15:45:24 +00:00
parent 73ee17d1e5
commit 41b979b061
2 changed files with 3 additions and 7 deletions

View file

@ -197,11 +197,7 @@ class Item(models.Model):
allowed_level = settings.CONFIG['capabilities']['canSeeItem'][level]
if self.level <= allowed_level:
return True
elif user.is_authenticated() and \
(self.user == user or \
self.groups.filter(id__in=user.groups.all()).count() > 0):
return True
return False
return self.editable(user)
def editable(self, user):
if user.is_anonymous():

View file

@ -474,11 +474,11 @@ def get(request):
if data['keys'] and 'files' in data['keys']:
info['files'] = item.get_files(request.user)
if not data['keys'] or 'groups' in data['keys'] \
and request.user.get_profile().capability('canEditMetadata'):
and item.editable(request.user):
info['groups'] = [g.name for g in item.groups.all()]
for k in settings.CONFIG['itemKeys']:
if 'capability' in k \
and not (request.user == item.user or has_capability(request.user, k['capability'])) \
and not (item.editable(request.user) or has_capability(request.user, k['capability'])) \
and k['id'] in info \
and k['id'] not in ('parts', 'durations', 'duration'):
del info[k['id']]