diff --git a/pandora/document/managers/__init__.py b/pandora/document/managers/__init__.py index 61a4ba9a..06d7fa71 100644 --- a/pandora/document/managers/__init__.py +++ b/pandora/document/managers/__init__.py @@ -298,6 +298,8 @@ class DocumentManager(Manager): q |= Q(groups__in=user.groups.all()) rendered_q |= Q(groups__in=user.groups.all()) qs = qs.filter(q) + max_level = len(settings.CONFIG['documentRightsLevels']) + qs = qs.filter(rightslevel__lte=max_level) return qs diff --git a/pandora/document/models.py b/pandora/document/models.py index 05c4c089..df5b8cb6 100644 --- a/pandora/document/models.py +++ b/pandora/document/models.py @@ -327,6 +327,9 @@ class Document(models.Model, FulltextMixin): def editable(self, user, item=None): if not user or user.is_anonymous: return False + max_level = len(settings.CONFIG['rightsLevels']) + if self.level > max_level: + return False if self.user == user or \ self.groups.filter(id__in=user.groups.all()).count() > 0 or \ user.is_staff or \ diff --git a/pandora/item/managers.py b/pandora/item/managers.py index 654f1dfe..e0bff833 100644 --- a/pandora/item/managers.py +++ b/pandora/item/managers.py @@ -318,6 +318,8 @@ class ItemManager(Manager): q |= Q(groups__in=user.groups.all()) rendered_q |= Q(groups__in=user.groups.all()) qs = qs.filter(q) + max_level = len(settings.CONFIG['rightsLevels']) + qs = qs.filter(level__lte=max_level) if settings.CONFIG.get('itemRequiresVideo') and level != 'admin': qs = qs.filter(rendered_q) return qs