only list items/documents < max level

2023-01-05 14:03:44 +00:00 · 2023-01-05 14:03:44 +00:00 · 873ec27803
commit 873ec27803
parent 623bbd472c
3 changed files with 7 additions and 0 deletions
--- a/pandora/document/managers/init.py
+++ b/pandora/document/managers/init.py
@ -298,6 +298,8 @@ class DocumentManager(Manager):
                q |= Q(groups__in=user.groups.all())
                rendered_q |= Q(groups__in=user.groups.all())
            qs = qs.filter(q)
+            max_level = len(settings.CONFIG['documentRightsLevels'])
+            qs = qs.filter(rightslevel__lte=max_level)

        return qs

--- a/pandora/document/models.py
+++ b/pandora/document/models.py
@ -327,6 +327,9 @@ class Document(models.Model, FulltextMixin):
    def editable(self, user, item=None):
        if not user or user.is_anonymous:
            return False
+        max_level = len(settings.CONFIG['rightsLevels'])
+        if self.level > max_level:
+            return False
        if self.user == user or \
           self.groups.filter(id__in=user.groups.all()).count() > 0 or \
           user.is_staff or \
--- a/pandora/item/managers.py
+++ b/pandora/item/managers.py
@ -318,6 +318,8 @@ class ItemManager(Manager):
                q |= Q(groups__in=user.groups.all())
                rendered_q |= Q(groups__in=user.groups.all())
            qs = qs.filter(q)
+            max_level = len(settings.CONFIG['rightsLevels'])
+            qs = qs.filter(level__lte=max_level)
        if settings.CONFIG.get('itemRequiresVideo') and level != 'admin':
            qs = qs.filter(rendered_q)
        return qs