users can see private items if they own it. limit to max_level instead, a80af1 fixup

2023-01-04 14:41:39 +00:00 · 2023-01-04 14:41:39 +00:00 · 623bbd472c
commit 623bbd472c
parent 99a135c7d3
1 changed files with 2 additions and 3 deletions
--- a/pandora/item/models.py
+++ b/pandora/item/models.py
@ -233,9 +233,8 @@ class Item(models.Model):
    def editable(self, user):
        if user.is_anonymous:
            return False
-        level = user.profile.get_level()
-        allowed_level = settings.CONFIG['capabilities']['canSeeItem'][level]
-        if self.level > allowed_level:
+        max_level = len(settings.CONFIG['rightsLevels'])
+        if self.level > max_level:
            return False
        if user.profile.capability('canEditMetadata') or \
           user.is_staff or \