rendered items should only be available to users that can edit them, fixes #1197

This commit is contained in:
j 2013-07-23 11:38:50 +00:00
parent 8466c054f2
commit 9491d68227
2 changed files with 15 additions and 4 deletions

View file

@ -313,14 +313,20 @@ class ItemManager(Manager):
#anonymous can only see public items
if not user or user.is_anonymous():
allowed_level = settings.CONFIG['capabilities']['canSeeItem']['guest']
level = 'guest'
allowed_level = settings.CONFIG['capabilities']['canSeeItem'][level]
qs = qs.filter(level__lte=allowed_level)
rendered_q = Q(rendered=True)
#users can see public items, there own items and items of there groups
else:
allowed_level = settings.CONFIG['capabilities']['canSeeItem'][user.get_profile().get_level()]
level = user.get_profile().get_level()
allowed_level = settings.CONFIG['capabilities']['canSeeItem'][level]
q = Q(level__lte=allowed_level)|Q(user=user)
rendered_q = Q(rendered=True)|Q(user=user)
if user.groups.count():
q |= Q(groups__in=user.groups.all())
rendered_q |= Q(groups__in=user.groups.all())
qs = qs.filter(q)
#admins can see all available items
if settings.CONFIG.get('itemRequiresVideo') and level != 'admin':
qs = qs.filter(rendered_q)
return qs

View file

@ -194,10 +194,15 @@ class Item(models.Model):
level = 'guest'
else:
level = user.get_profile().get_level()
editable = self.editable(user)
if editable:
return True
if not self.rendered and settings.CONFIG.get('itemRequiresVideo'):
return False
allowed_level = settings.CONFIG['capabilities']['canSeeItem'][level]
if self.level <= allowed_level:
return True
return self.editable(user)
return False
def editable(self, user):
if user.is_anonymous():