fix group access to info page

pandora/item/models.py

@@ -197,11 +197,7 @@ class Item(models.Model):
         allowed_level = settings.CONFIG['capabilities']['canSeeItem'][level]
         if self.level <= allowed_level:
             return True
-        elif user.is_authenticated() and \
+        return self.editable(user)
-             (self.user == user or \
-              self.groups.filter(id__in=user.groups.all()).count() > 0):
-                return True
-        return False
 
     def editable(self, user):
         if user.is_anonymous():

pandora/item/views.py

@@ -474,11 +474,11 @@ def get(request):
         if data['keys'] and 'files' in data['keys']:
             info['files'] = item.get_files(request.user)
         if not data['keys'] or 'groups' in data['keys'] \
-           and request.user.get_profile().capability('canEditMetadata'):
+                and item.editable(request.user):
             info['groups'] = [g.name for g in item.groups.all()]
         for k in settings.CONFIG['itemKeys']:
             if 'capability' in k \
-                and not (request.user == item.user or has_capability(request.user, k['capability'])) \
+                and not (item.editable(request.user) or has_capability(request.user, k['capability'])) \
                 and k['id'] in info \
                 and k['id'] not in ('parts', 'durations', 'duration'):
                     del info[k['id']]