fix group access to info page

This commit is contained in:
j 2013-07-15 15:45:24 +00:00
parent 73ee17d1e5
commit 41b979b061
2 changed files with 3 additions and 7 deletions

View file

@ -197,11 +197,7 @@ class Item(models.Model):
allowed_level = settings.CONFIG['capabilities']['canSeeItem'][level] allowed_level = settings.CONFIG['capabilities']['canSeeItem'][level]
if self.level <= allowed_level: if self.level <= allowed_level:
return True return True
elif user.is_authenticated() and \ return self.editable(user)
(self.user == user or \
self.groups.filter(id__in=user.groups.all()).count() > 0):
return True
return False
def editable(self, user): def editable(self, user):
if user.is_anonymous(): if user.is_anonymous():

View file

@ -474,11 +474,11 @@ def get(request):
if data['keys'] and 'files' in data['keys']: if data['keys'] and 'files' in data['keys']:
info['files'] = item.get_files(request.user) info['files'] = item.get_files(request.user)
if not data['keys'] or 'groups' in data['keys'] \ if not data['keys'] or 'groups' in data['keys'] \
and request.user.get_profile().capability('canEditMetadata'): and item.editable(request.user):
info['groups'] = [g.name for g in item.groups.all()] info['groups'] = [g.name for g in item.groups.all()]
for k in settings.CONFIG['itemKeys']: for k in settings.CONFIG['itemKeys']:
if 'capability' in k \ if 'capability' in k \
and not (request.user == item.user or has_capability(request.user, k['capability'])) \ and not (item.editable(request.user) or has_capability(request.user, k['capability'])) \
and k['id'] in info \ and k['id'] in info \
and k['id'] not in ('parts', 'durations', 'duration'): and k['id'] not in ('parts', 'durations', 'duration'):
del info[k['id']] del info[k['id']]