Protect views from viewing if the user has no right to view an object

2025-06-21 01:48:21 +02:00 · 2020-03-19 02:26:06 +01:00
parent e461d70b14
commit 730d37c620
9 changed files with 116 additions and 35 deletions
--- a/apps/note/views.py
+++ b/apps/note/views.py
@ -9,6 +9,7 @@ from django.utils.translation import gettext_lazy as _
 from django.views.generic import CreateView, ListView, UpdateView
 from django_tables2 import SingleTableView

+from member.backends import PermissionBackend
 from .forms import TransactionTemplateForm
 from .models import Transaction, TransactionTemplate, Alias, TemplateTransaction, NoteSpecial
 from .models.transactions import SpecialTransaction
@ -18,16 +19,18 @@ from .tables import HistoryTable
 class TransactionCreate(LoginRequiredMixin, SingleTableView):
    """
    Show transfer page
-
-    TODO: If user have sufficient rights, they can transfer from an other note
    """
-    queryset = Transaction.objects.order_by("-id").all()[:50]
    template_name = "note/transaction_form.html"

    # Transaction history table
    table_class = HistoryTable
    table_pagination = {"per_page": 50}

+    def get_queryset(self):
+        return Transaction.objects.filter(PermissionBackend
+                                          .filter_queryset(self.request.user, Transaction, "view")) \
+                                            .order_by("-id").all()[:50]
+
    def get_context_data(self, **kwargs):
        """
        Add some context variables in template such as page title
@ -117,21 +120,26 @@ class ConsoView(LoginRequiredMixin, SingleTableView):
    """
    Consume
    """
-    queryset = Transaction.objects.order_by("-id").all()[:50]
    template_name = "note/conso_form.html"

    # Transaction history table
    table_class = HistoryTable
    table_pagination = {"per_page": 50}

+    def get_queryset(self):
+        return Transaction.objects.filter(PermissionBackend
+                                          .filter_queryset(self.request.user, Transaction, "view")) \
+                                            .order_by("-id").all()[:50]
+
    def get_context_data(self, **kwargs):
        """
        Add some context variables in template such as page title
        """
        context = super().get_context_data(**kwargs)
        from django.db.models import Count
-        buttons = TransactionTemplate.objects.filter(display=True) \
-            .annotate(clicks=Count('templatetransaction')).order_by('category__name', 'name')
+        buttons = TransactionTemplate.objects.filter(PermissionBackend()
+                                                     .filter_queryset(self.request.user, TransactionTemplate, "view")) \
+            .filter(display=True).annotate(clicks=Count('templatetransaction')).order_by('category__name', 'name')
        context['transaction_templates'] = buttons
        context['most_used'] = buttons.order_by('-clicks', 'name')[:10]
        context['title'] = _("Consumptions")