From 873ec2780325d8417b35037f1358755e68fa6266 Mon Sep 17 00:00:00 2001 From: j Date: Thu, 5 Jan 2023 14:03:44 +0000 Subject: [PATCH] only list items/documents < max level --- pandora/document/managers/__init__.py | 2 ++ pandora/document/models.py | 3 +++ pandora/item/managers.py | 2 ++ 3 files changed, 7 insertions(+) diff --git a/pandora/document/managers/__init__.py b/pandora/document/managers/__init__.py index 61a4ba9a..06d7fa71 100644 --- a/pandora/document/managers/__init__.py +++ b/pandora/document/managers/__init__.py @@ -298,6 +298,8 @@ class DocumentManager(Manager): q |= Q(groups__in=user.groups.all()) rendered_q |= Q(groups__in=user.groups.all()) qs = qs.filter(q) + max_level = len(settings.CONFIG['documentRightsLevels']) + qs = qs.filter(rightslevel__lte=max_level) return qs diff --git a/pandora/document/models.py b/pandora/document/models.py index 05c4c089..df5b8cb6 100644 --- a/pandora/document/models.py +++ b/pandora/document/models.py @@ -327,6 +327,9 @@ class Document(models.Model, FulltextMixin): def editable(self, user, item=None): if not user or user.is_anonymous: return False + max_level = len(settings.CONFIG['rightsLevels']) + if self.level > max_level: + return False if self.user == user or \ self.groups.filter(id__in=user.groups.all()).count() > 0 or \ user.is_staff or \ diff --git a/pandora/item/managers.py b/pandora/item/managers.py index 654f1dfe..e0bff833 100644 --- a/pandora/item/managers.py +++ b/pandora/item/managers.py @@ -318,6 +318,8 @@ class ItemManager(Manager): q |= Q(groups__in=user.groups.all()) rendered_q |= Q(groups__in=user.groups.all()) qs = qs.filter(q) + max_level = len(settings.CONFIG['rightsLevels']) + qs = qs.filter(level__lte=max_level) if settings.CONFIG.get('itemRequiresVideo') and level != 'admin': qs = qs.filter(rendered_q) return qs