forked from 0x2620/pandora
rendered items should only be available to users that can edit them, fixes #1197
This commit is contained in:
parent
8466c054f2
commit
9491d68227
2 changed files with 15 additions and 4 deletions
|
@ -313,14 +313,20 @@ class ItemManager(Manager):
|
|||
|
||||
#anonymous can only see public items
|
||||
if not user or user.is_anonymous():
|
||||
allowed_level = settings.CONFIG['capabilities']['canSeeItem']['guest']
|
||||
level = 'guest'
|
||||
allowed_level = settings.CONFIG['capabilities']['canSeeItem'][level]
|
||||
qs = qs.filter(level__lte=allowed_level)
|
||||
rendered_q = Q(rendered=True)
|
||||
#users can see public items, there own items and items of there groups
|
||||
else:
|
||||
allowed_level = settings.CONFIG['capabilities']['canSeeItem'][user.get_profile().get_level()]
|
||||
level = user.get_profile().get_level()
|
||||
allowed_level = settings.CONFIG['capabilities']['canSeeItem'][level]
|
||||
q = Q(level__lte=allowed_level)|Q(user=user)
|
||||
rendered_q = Q(rendered=True)|Q(user=user)
|
||||
if user.groups.count():
|
||||
q |= Q(groups__in=user.groups.all())
|
||||
rendered_q |= Q(groups__in=user.groups.all())
|
||||
qs = qs.filter(q)
|
||||
#admins can see all available items
|
||||
if settings.CONFIG.get('itemRequiresVideo') and level != 'admin':
|
||||
qs = qs.filter(rendered_q)
|
||||
return qs
|
||||
|
|
|
@ -194,10 +194,15 @@ class Item(models.Model):
|
|||
level = 'guest'
|
||||
else:
|
||||
level = user.get_profile().get_level()
|
||||
editable = self.editable(user)
|
||||
if editable:
|
||||
return True
|
||||
if not self.rendered and settings.CONFIG.get('itemRequiresVideo'):
|
||||
return False
|
||||
allowed_level = settings.CONFIG['capabilities']['canSeeItem'][level]
|
||||
if self.level <= allowed_level:
|
||||
return True
|
||||
return self.editable(user)
|
||||
return False
|
||||
|
||||
def editable(self, user):
|
||||
if user.is_anonymous():
|
||||
|
|
Loading…
Reference in a new issue