Mirrored_Repos/InvenTree
1
0
Fork 0
mirror of https://github.com/inventree/InvenTree synced 2024-08-30 18:33:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

Change part views to require permissions

Browse Source 
Also adds custom 403 page
This commit is contained in:
Oliver Walters 2020-10-05 23:49:32 +11:00
parent 796e89c921
commit 4d49cb029f
3 changed files with 108 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

93
InvenTree/part/views.py
View File

@ -12,6 +12,7 @@ from django.shortcuts import HttpResponseRedirect
from django.utils.translation import gettext_lazy as _ from django.utils.translation import gettext_lazy as _
from django.urls import reverse, reverse_lazy from django.urls import reverse, reverse_lazy
from django.views.generic import DetailView, ListView, FormView, UpdateView from django.views.generic import DetailView, ListView, FormView, UpdateView
from django.contrib.auth.mixins import PermissionRequiredMixin
from django.forms.models import model_to_dict from django.forms.models import model_to_dict
from django.forms import HiddenInput, CheckboxInput from django.forms import HiddenInput, CheckboxInput
from django.conf import settings from django.conf import settings
@ -42,12 +43,13 @@ from InvenTree.views import QRCodeView
from InvenTree.helpers import DownloadFile, str2bool from InvenTree.helpers import DownloadFile, str2bool
class PartIndex(ListView): class PartIndex(PermissionRequiredMixin, ListView):
""" View for displaying list of Part objects """ View for displaying list of Part objects
""" """
model = Part model = Part
template_name = 'part/category.html' template_name = 'part/category.html'
context_object_name = 'parts' context_object_name = 'parts'
permission_required = ('part.view_part', 'part.view_partcategory')
def get_queryset(self): def get_queryset(self):
return Part.objects.all().select_related('category') return Part.objects.all().select_related('category')
@ -76,6 +78,8 @@ class PartAttachmentCreate(AjaxCreateView):
ajax_form_title = _("Add part attachment") ajax_form_title = _("Add part attachment")
ajax_template_name = "modal_form.html" ajax_template_name = "modal_form.html"
permission_required = 'part.create_partattachment'
def post_save(self): def post_save(self):
""" Record the user that uploaded the attachment """ """ Record the user that uploaded the attachment """
self.object.user = self.request.user self.object.user = self.request.user
@ -123,6 +127,8 @@ class PartAttachmentEdit(AjaxUpdateView):
form_class = part_forms.EditPartAttachmentForm form_class = part_forms.EditPartAttachmentForm
ajax_template_name = 'modal_form.html' ajax_template_name = 'modal_form.html'
ajax_form_title = _('Edit attachment') ajax_form_title = _('Edit attachment')
permission_required = 'part.change_partattachment'
def get_data(self): def get_data(self):
return { return {
@ -145,6 +151,8 @@ class PartAttachmentDelete(AjaxDeleteView):
ajax_template_name = "attachment_delete.html" ajax_template_name = "attachment_delete.html"
context_object_name = "attachment" context_object_name = "attachment"
permission_required = 'part.delete_partattachment'
def get_data(self): def get_data(self):
return { return {
'danger': _('Deleted part attachment') 'danger': _('Deleted part attachment')
@ -157,6 +165,8 @@ class PartTestTemplateCreate(AjaxCreateView):
model = PartTestTemplate model = PartTestTemplate
form_class = part_forms.EditPartTestTemplateForm form_class = part_forms.EditPartTestTemplateForm
ajax_form_title = _("Create Test Template") ajax_form_title = _("Create Test Template")
permission_required = 'part.create_parttesttemplate'
def get_initial(self): def get_initial(self):
@ -185,6 +195,8 @@ class PartTestTemplateEdit(AjaxUpdateView):
form_class = part_forms.EditPartTestTemplateForm form_class = part_forms.EditPartTestTemplateForm
ajax_form_title = _("Edit Test Template") ajax_form_title = _("Edit Test Template")
permission_required = 'part.change_parttesttemplate'
def get_form(self): def get_form(self):
form = super().get_form() form = super().get_form()
@ -199,6 +211,8 @@ class PartTestTemplateDelete(AjaxDeleteView):
model = PartTestTemplate model = PartTestTemplate
ajax_form_title = _("Delete Test Template") ajax_form_title = _("Delete Test Template")
permission_required = 'part.delete_parttesttemplate'
class PartSetCategory(AjaxUpdateView): class PartSetCategory(AjaxUpdateView):
""" View for settings the part category for multiple parts at once """ """ View for settings the part category for multiple parts at once """
@ -207,6 +221,8 @@ class PartSetCategory(AjaxUpdateView):
ajax_form_title = _('Set Part Category') ajax_form_title = _('Set Part Category')
form_class = part_forms.SetPartCategoryForm form_class = part_forms.SetPartCategoryForm
permission_required = 'part.change_part'
category = None category = None
parts = [] parts = []
@ -290,6 +306,8 @@ class MakePartVariant(AjaxCreateView):
ajax_form_title = _('Create Variant') ajax_form_title = _('Create Variant')
ajax_template_name = 'part/variant_part.html' ajax_template_name = 'part/variant_part.html'
permission_required = 'part.create_part'
def get_part_template(self): def get_part_template(self):
return get_object_or_404(Part, id=self.kwargs['pk']) return get_object_or_404(Part, id=self.kwargs['pk'])
@ -368,6 +386,8 @@ class PartDuplicate(AjaxCreateView):
ajax_form_title = _("Duplicate Part") ajax_form_title = _("Duplicate Part")
ajax_template_name = "part/copy_part.html" ajax_template_name = "part/copy_part.html"
permission_required = 'part.create_part'
def get_data(self): def get_data(self):
return { return {
'success': _('Copied part') 'success': _('Copied part')
@ -491,6 +511,8 @@ class PartCreate(AjaxCreateView):
ajax_form_title = _('Create new part') ajax_form_title = _('Create new part')
ajax_template_name = 'part/create_part.html' ajax_template_name = 'part/create_part.html'
permission_required = 'part.create_part'
def get_data(self): def get_data(self):
return { return {
'success': _("Created new part"), 'success': _("Created new part"),
@ -613,6 +635,8 @@ class PartNotes(UpdateView):
template_name = 'part/notes.html' template_name = 'part/notes.html'
model = Part model = Part
permission_required = 'part.update_part'
fields = ['notes'] fields = ['notes']
def get_success_url(self): def get_success_url(self):
@ -634,7 +658,7 @@ class PartNotes(UpdateView):
return ctx return ctx
class PartDetail(DetailView): class PartDetail(PermissionRequiredMixin, DetailView):
""" Detail view for Part object """ Detail view for Part object
""" """
@ -642,6 +666,8 @@ class PartDetail(DetailView):
queryset = Part.objects.all().select_related('category') queryset = Part.objects.all().select_related('category')
template_name = 'part/detail.html' template_name = 'part/detail.html'
permission_required = 'part.view_part'
# Add in some extra context information based on query params # Add in some extra context information based on query params
def get_context_data(self, **kwargs): def get_context_data(self, **kwargs):
""" Provide extra context data to template """ Provide extra context data to template
@ -706,6 +732,8 @@ class PartQRCode(QRCodeView):
ajax_form_title = _("Part QR Code") ajax_form_title = _("Part QR Code")
permission_required = 'part.view_part'
def get_qr_data(self): def get_qr_data(self):
""" Generate QR code data for the Part """ """ Generate QR code data for the Part """
@ -722,8 +750,11 @@ class PartImageUpload(AjaxUpdateView):
model = Part model = Part
ajax_template_name = 'modal_form.html' ajax_template_name = 'modal_form.html'
ajax_form_title = _('Upload Part Image') ajax_form_title = _('Upload Part Image')
form_class = part_forms.PartImageForm form_class = part_forms.PartImageForm
permission_required = 'part.update_part'
def get_data(self): def get_data(self):
return { return {
'success': _('Updated part image'), 'success': _('Updated part image'),
@ -737,6 +768,8 @@ class PartImageSelect(AjaxUpdateView):
ajax_template_name = 'part/select_image.html' ajax_template_name = 'part/select_image.html'
ajax_form_title = _('Select Part Image') ajax_form_title = _('Select Part Image')
permission_required = 'part.update_part'
fields = [ fields = [
'image', 'image',
] ]
@ -778,6 +811,8 @@ class PartEdit(AjaxUpdateView):
ajax_form_title = _('Edit Part Properties') ajax_form_title = _('Edit Part Properties')
context_object_name = 'part' context_object_name = 'part'
permission_required = 'part.update_part'
def get_form(self): def get_form(self):
""" Create form for Part editing. """ Create form for Part editing.
Overrides default get_form() method to limit the choices Overrides default get_form() method to limit the choices
@ -802,6 +837,8 @@ class BomValidate(AjaxUpdateView):
context_object_name = 'part' context_object_name = 'part'
form_class = part_forms.BomValidateForm form_class = part_forms.BomValidateForm
permission_required = ('part.update_part')
def get_context(self): def get_context(self):
return { return {
'part': self.get_object(), 'part': self.get_object(),
@ -832,7 +869,7 @@ class BomValidate(AjaxUpdateView):
return self.renderJsonResponse(request, form, data, context=self.get_context()) return self.renderJsonResponse(request, form, data, context=self.get_context())
class BomUpload(FormView): class BomUpload(PermissionRequiredMixin, FormView):
""" View for uploading a BOM file, and handling BOM data importing. """ View for uploading a BOM file, and handling BOM data importing.
The BOM upload process is as follows: The BOM upload process is as follows:
@ -868,6 +905,8 @@ class BomUpload(FormView):
missing_columns = [] missing_columns = []
allowed_parts = [] allowed_parts = []
permission_required = ('part.update_part', 'part.create_bomitem')
def get_success_url(self): def get_success_url(self):
part = self.get_object() part = self.get_object()
return reverse('upload-bom', kwargs={'pk': part.id}) return reverse('upload-bom', kwargs={'pk': part.id})
@ -1466,6 +1505,8 @@ class BomUpload(FormView):
class PartExport(AjaxView): class PartExport(AjaxView):
""" Export a CSV file containing information on multiple parts """ """ Export a CSV file containing information on multiple parts """
permission_required = 'part.view_part'
def get_parts(self, request): def get_parts(self, request):
""" Extract part list from the POST parameters. """ Extract part list from the POST parameters.
Parts can be supplied as: Parts can be supplied as:
@ -1543,6 +1584,8 @@ class BomDownload(AjaxView):
- File format should be passed as a query param e.g. ?format=csv - File format should be passed as a query param e.g. ?format=csv
""" """
permission_required = ('part.view_part', 'part.view_bomitem')
model = Part model = Part
def get(self, request, *args, **kwargs): def get(self, request, *args, **kwargs):
@ -1596,6 +1639,8 @@ class BomExport(AjaxView):
form_class = part_forms.BomExportForm form_class = part_forms.BomExportForm
ajax_form_title = _("Export Bill of Materials") ajax_form_title = _("Export Bill of Materials")
permission_required = ('part.view_part', 'part.view_bomitem')
def get(self, request, *args, **kwargs): def get(self, request, *args, **kwargs):
return self.renderJsonResponse(request, self.form_class()) return self.renderJsonResponse(request, self.form_class())
@ -1645,6 +1690,8 @@ class PartDelete(AjaxDeleteView):
ajax_form_title = _('Confirm Part Deletion') ajax_form_title = _('Confirm Part Deletion')
context_object_name = 'part' context_object_name = 'part'
permission_required = 'part.delete_part'
success_url = '/part/' success_url = '/part/'
def get_data(self): def get_data(self):
@ -1661,6 +1708,8 @@ class PartPricing(AjaxView):
ajax_form_title = _("Part Pricing") ajax_form_title = _("Part Pricing")
form_class = part_forms.PartPriceForm form_class = part_forms.PartPriceForm
permission_required = ('company.view_supplierpricebreak', 'part.view_part')
def get_part(self): def get_part(self):
try: try:
return Part.objects.get(id=self.kwargs['pk']) return Part.objects.get(id=self.kwargs['pk'])
@ -1778,6 +1827,8 @@ class PartPricing(AjaxView):
class PartParameterTemplateCreate(AjaxCreateView): class PartParameterTemplateCreate(AjaxCreateView):
""" View for creating a new PartParameterTemplate """ """ View for creating a new PartParameterTemplate """
permission_required = 'part.create_partparametertemplate'
model = PartParameterTemplate model = PartParameterTemplate
form_class = part_forms.EditPartParameterTemplateForm form_class = part_forms.EditPartParameterTemplateForm
ajax_form_title = _('Create Part Parameter Template') ajax_form_title = _('Create Part Parameter Template')
@ -1786,6 +1837,8 @@ class PartParameterTemplateCreate(AjaxCreateView):
class PartParameterTemplateEdit(AjaxUpdateView): class PartParameterTemplateEdit(AjaxUpdateView):
""" View for editing a PartParameterTemplate """ """ View for editing a PartParameterTemplate """
permission_required = 'part.change_partparametertemplate'
model = PartParameterTemplate model = PartParameterTemplate
form_class = part_forms.EditPartParameterTemplateForm form_class = part_forms.EditPartParameterTemplateForm
ajax_form_title = _('Edit Part Parameter Template') ajax_form_title = _('Edit Part Parameter Template')
@ -1794,6 +1847,8 @@ class PartParameterTemplateEdit(AjaxUpdateView):
class PartParameterTemplateDelete(AjaxDeleteView): class PartParameterTemplateDelete(AjaxDeleteView):
""" View for deleting an existing PartParameterTemplate """ """ View for deleting an existing PartParameterTemplate """
permission_required = 'part.delete_partparametertemplate'
model = PartParameterTemplate model = PartParameterTemplate
ajax_form_title = _("Delete Part Parameter Template") ajax_form_title = _("Delete Part Parameter Template")
@ -1801,6 +1856,8 @@ class PartParameterTemplateDelete(AjaxDeleteView):
class PartParameterCreate(AjaxCreateView): class PartParameterCreate(AjaxCreateView):
""" View for creating a new PartParameter """ """ View for creating a new PartParameter """
permission_required = 'part.create_partparameter'
model = PartParameter model = PartParameter
form_class = part_forms.EditPartParameterForm form_class = part_forms.EditPartParameterForm
ajax_form_title = _('Create Part Parameter') ajax_form_title = _('Create Part Parameter')
@ -1851,6 +1908,8 @@ class PartParameterCreate(AjaxCreateView):
class PartParameterEdit(AjaxUpdateView): class PartParameterEdit(AjaxUpdateView):
""" View for editing a PartParameter """ """ View for editing a PartParameter """
permission_required = 'part.change_partparameter'
model = PartParameter model = PartParameter
form_class = part_forms.EditPartParameterForm form_class = part_forms.EditPartParameterForm
ajax_form_title = _('Edit Part Parameter') ajax_form_title = _('Edit Part Parameter')
@ -1865,12 +1924,14 @@ class PartParameterEdit(AjaxUpdateView):
class PartParameterDelete(AjaxDeleteView): class PartParameterDelete(AjaxDeleteView):
""" View for deleting a PartParameter """ """ View for deleting a PartParameter """
permission_required = 'part.delete_partparameter'
model = PartParameter model = PartParameter
ajax_template_name = 'part/param_delete.html' ajax_template_name = 'part/param_delete.html'
ajax_form_title = _('Delete Part Parameter') ajax_form_title = _('Delete Part Parameter')
class CategoryDetail(DetailView): class CategoryDetail(PermissionRequiredMixin, DetailView):
""" Detail view for PartCategory """ """ Detail view for PartCategory """
model = PartCategory model = PartCategory
@ -1878,6 +1939,8 @@ class CategoryDetail(DetailView):
queryset = PartCategory.objects.all().prefetch_related('children') queryset = PartCategory.objects.all().prefetch_related('children')
template_name = 'part/category_partlist.html' template_name = 'part/category_partlist.html'
permission_required = 'part.view_partcategory'
def get_context_data(self, **kwargs): def get_context_data(self, **kwargs):
context = super(CategoryDetail, self).get_context_data(**kwargs).copy() context = super(CategoryDetail, self).get_context_data(**kwargs).copy()
@ -1926,6 +1989,8 @@ class CategoryEdit(AjaxUpdateView):
ajax_template_name = 'modal_form.html' ajax_template_name = 'modal_form.html'
ajax_form_title = _('Edit Part Category') ajax_form_title = _('Edit Part Category')
permission_required = 'part.change_partcategory'
def get_context_data(self, **kwargs): def get_context_data(self, **kwargs):
context = super(CategoryEdit, self).get_context_data(**kwargs).copy() context = super(CategoryEdit, self).get_context_data(**kwargs).copy()
@ -1963,6 +2028,8 @@ class CategoryDelete(AjaxDeleteView):
context_object_name = 'category' context_object_name = 'category'
success_url = '/part/' success_url = '/part/'
permission_required = 'part.delete_partcategory'
def get_data(self): def get_data(self):
return { return {
'danger': _('Part category was deleted'), 'danger': _('Part category was deleted'),
@ -1977,6 +2044,8 @@ class CategoryCreate(AjaxCreateView):
ajax_template_name = 'modal_form.html' ajax_template_name = 'modal_form.html'
form_class = part_forms.EditCategoryForm form_class = part_forms.EditCategoryForm
permission_required = 'part.create_partcategory'
def get_context_data(self, **kwargs): def get_context_data(self, **kwargs):
""" Add extra context data to template. """ Add extra context data to template.
@ -2012,12 +2081,14 @@ class CategoryCreate(AjaxCreateView):
return initials return initials
class BomItemDetail(DetailView): class BomItemDetail(PermissionRequiredMixin, DetailView):
""" Detail view for BomItem """ """ Detail view for BomItem """
context_object_name = 'item' context_object_name = 'item'
queryset = BomItem.objects.all() queryset = BomItem.objects.all()
template_name = 'part/bom-detail.html' template_name = 'part/bom-detail.html'
permission_required = 'part.view_bomitem'
class BomItemCreate(AjaxCreateView): class BomItemCreate(AjaxCreateView):
""" Create view for making a new BomItem object """ """ Create view for making a new BomItem object """
@ -2026,6 +2097,8 @@ class BomItemCreate(AjaxCreateView):
ajax_template_name = 'modal_form.html' ajax_template_name = 'modal_form.html'
ajax_form_title = _('Create BOM item') ajax_form_title = _('Create BOM item')
permission_required = 'part.create_bomitem'
def get_form(self): def get_form(self):
""" Override get_form() method to reduce Part selection options. """ Override get_form() method to reduce Part selection options.
@ -2092,6 +2165,8 @@ class BomItemEdit(AjaxUpdateView):
ajax_template_name = 'modal_form.html' ajax_template_name = 'modal_form.html'
ajax_form_title = _('Edit BOM item') ajax_form_title = _('Edit BOM item')
permission_required = 'part.change_bomitem'
def get_form(self): def get_form(self):
""" Override get_form() method to filter part selection options """ Override get_form() method to filter part selection options
@ -2140,6 +2215,8 @@ class BomItemDelete(AjaxDeleteView):
context_object_name = 'item' context_object_name = 'item'
ajax_form_title = _('Confim BOM item deletion') ajax_form_title = _('Confim BOM item deletion')
permission_required = 'part.delete_bomitem'
class PartSalePriceBreakCreate(AjaxCreateView): class PartSalePriceBreakCreate(AjaxCreateView):
""" View for creating a sale price break for a part """ """ View for creating a sale price break for a part """
@ -2147,6 +2224,8 @@ class PartSalePriceBreakCreate(AjaxCreateView):
model = PartSellPriceBreak model = PartSellPriceBreak
form_class = part_forms.EditPartSalePriceBreakForm form_class = part_forms.EditPartSalePriceBreakForm
ajax_form_title = _('Add Price Break') ajax_form_title = _('Add Price Break')
permission_required = 'part.create_partsellpricebreak'
def get_data(self): def get_data(self):
return { return {
@ -2197,6 +2276,8 @@ class PartSalePriceBreakEdit(AjaxUpdateView):
form_class = part_forms.EditPartSalePriceBreakForm form_class = part_forms.EditPartSalePriceBreakForm
ajax_form_title = _('Edit Price Break') ajax_form_title = _('Edit Price Break')
permission_required = 'part.change_partsellpricebreak'
def get_form(self): def get_form(self):
form = super().get_form() form = super().get_form()
@ -2211,3 +2292,5 @@ class PartSalePriceBreakDelete(AjaxDeleteView):
model = PartSellPriceBreak model = PartSellPriceBreak
ajax_form_title = _("Delete Price Break") ajax_form_title = _("Delete Price Break")
ajax_template_name = "modal_delete_form.html" ajax_template_name = "modal_delete_form.html"
permission_required = 'part.delete_partsalepricebreak'

18
InvenTree/templates/403.html Normal file
View File

@ -0,0 +1,18 @@
{% extends "base.html" %}
{% load i18n %}
{% block page_title %}
InvenTree | {% trans "Permission Denied" %}
{% endblock %}
{% block content %}
<div class='container-fluid'>
<h3>{% trans "Permission Denied" %}</h3>
<div class='alert alert-danger alert-block'>
{% trans "You do not have permission to view this page." %}
</div>
</div>
{% endblock %}

4
InvenTree/templates/InvenTree/index.html
View File

@ -1,7 +1,7 @@
{% extends "base.html" %} {% extends "base.html" %}
{% load i18n %}
{% block page_title %} {% block page_title %}
InvenTree | Index InvenTree | {% trans "Index" %}
{% endblock %} {% endblock %}
{% block content %} {% block content %}