forked from 0x2620/pandora
rendered items should only be available to users that can edit them, fixes #1197
This commit is contained in:
parent
8466c054f2
commit
9491d68227
2 changed files with 15 additions and 4 deletions
|
@ -313,14 +313,20 @@ class ItemManager(Manager):
|
||||||
|
|
||||||
#anonymous can only see public items
|
#anonymous can only see public items
|
||||||
if not user or user.is_anonymous():
|
if not user or user.is_anonymous():
|
||||||
allowed_level = settings.CONFIG['capabilities']['canSeeItem']['guest']
|
level = 'guest'
|
||||||
|
allowed_level = settings.CONFIG['capabilities']['canSeeItem'][level]
|
||||||
qs = qs.filter(level__lte=allowed_level)
|
qs = qs.filter(level__lte=allowed_level)
|
||||||
|
rendered_q = Q(rendered=True)
|
||||||
#users can see public items, there own items and items of there groups
|
#users can see public items, there own items and items of there groups
|
||||||
else:
|
else:
|
||||||
allowed_level = settings.CONFIG['capabilities']['canSeeItem'][user.get_profile().get_level()]
|
level = user.get_profile().get_level()
|
||||||
|
allowed_level = settings.CONFIG['capabilities']['canSeeItem'][level]
|
||||||
q = Q(level__lte=allowed_level)|Q(user=user)
|
q = Q(level__lte=allowed_level)|Q(user=user)
|
||||||
|
rendered_q = Q(rendered=True)|Q(user=user)
|
||||||
if user.groups.count():
|
if user.groups.count():
|
||||||
q |= Q(groups__in=user.groups.all())
|
q |= Q(groups__in=user.groups.all())
|
||||||
|
rendered_q |= Q(groups__in=user.groups.all())
|
||||||
qs = qs.filter(q)
|
qs = qs.filter(q)
|
||||||
#admins can see all available items
|
if settings.CONFIG.get('itemRequiresVideo') and level != 'admin':
|
||||||
|
qs = qs.filter(rendered_q)
|
||||||
return qs
|
return qs
|
||||||
|
|
|
@ -194,10 +194,15 @@ class Item(models.Model):
|
||||||
level = 'guest'
|
level = 'guest'
|
||||||
else:
|
else:
|
||||||
level = user.get_profile().get_level()
|
level = user.get_profile().get_level()
|
||||||
|
editable = self.editable(user)
|
||||||
|
if editable:
|
||||||
|
return True
|
||||||
|
if not self.rendered and settings.CONFIG.get('itemRequiresVideo'):
|
||||||
|
return False
|
||||||
allowed_level = settings.CONFIG['capabilities']['canSeeItem'][level]
|
allowed_level = settings.CONFIG['capabilities']['canSeeItem'][level]
|
||||||
if self.level <= allowed_level:
|
if self.level <= allowed_level:
|
||||||
return True
|
return True
|
||||||
return self.editable(user)
|
return False
|
||||||
|
|
||||||
def editable(self, user):
|
def editable(self, user):
|
||||||
if user.is_anonymous():
|
if user.is_anonymous():
|
||||||
|
|
Loading…
Reference in a new issue