From 27656633df070cdf9df458d65e6a60f8c78b8fcc Mon Sep 17 00:00:00 2001
From: Oliver Walters <oliver.henry.walters@gmail.com>
Date: Wed, 30 Sep 2020 23:57:23 +1000
Subject: [PATCH 1/4] Update admin links to require specific permissions

---
 InvenTree/build/templates/build/build_base.html       | 2 +-
 InvenTree/company/templates/company/company_base.html | 2 +-
 InvenTree/order/templates/order/order_base.html       | 7 ++++++-
 InvenTree/order/templates/order/sales_order_base.html | 7 ++++++-
 InvenTree/part/templates/part/category.html           | 2 +-
 InvenTree/part/templates/part/part_base.html          | 2 +-
 InvenTree/stock/templates/stock/item_base.html        | 2 +-
 InvenTree/stock/templates/stock/location.html         | 2 +-
 8 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/InvenTree/build/templates/build/build_base.html b/InvenTree/build/templates/build/build_base.html
index d9764d6e25..915433b055 100644
--- a/InvenTree/build/templates/build/build_base.html
+++ b/InvenTree/build/templates/build/build_base.html
@@ -35,7 +35,7 @@ src="{% static 'img/blank_image.png' %}"
 <hr>
 <h4>
     {{ build.quantity }} x {{ build.part.full_name }}
-    {% if user.is_staff %}
+    {% if user.is_staff and perms.build.change_build %}
     <a  href="{% url 'admin:build_build_change' build.pk %}"><span title="{% trans 'Admin view' %}" class='fas fa-user-shield'></span></a>
 {% endif %}
 </h4>
diff --git a/InvenTree/company/templates/company/company_base.html b/InvenTree/company/templates/company/company_base.html
index edcc817ab3..73ebecf979 100644
--- a/InvenTree/company/templates/company/company_base.html
+++ b/InvenTree/company/templates/company/company_base.html
@@ -23,7 +23,7 @@ InvenTree | {% trans "Company" %} - {{ company.name }}
 <hr>
 <h4>
     {{ company.name }}
-    {% if user.is_staff %}
+    {% if user.is_staff and perms.company.change_company %}
     <a  href="{% url 'admin:company_company_change' company.pk %}"><span title="{% trans 'Admin view' %}" class='fas fa-user-shield'></span></a>
     {% endif %}
 </h4>
diff --git a/InvenTree/order/templates/order/order_base.html b/InvenTree/order/templates/order/order_base.html
index e047c5607f..036021b12d 100644
--- a/InvenTree/order/templates/order/order_base.html
+++ b/InvenTree/order/templates/order/order_base.html
@@ -22,7 +22,12 @@ src="{% static 'img/blank_image.png' %}"
 {% block page_data %}
 <h3>{% trans "Purchase Order" %} {% purchase_order_status_label order.status large=True %}</h3>
 <hr>
-<h4>{{ order }}</h4>
+<h4>
+    {{ order }}
+    {% if user.is_staff and perms.order.change_purchaseorder %}
+    <a href="{% url 'admin:order_purchaseorder_change' order.pk %}"><span title='{% trans "Admin view" %}' class='fas fa-user-shield'></span></a>
+    {% endif %}
+</h4>
 <p>{{ order.description }}</p>
 <p>
     <div class='btn-row'>
diff --git a/InvenTree/order/templates/order/sales_order_base.html b/InvenTree/order/templates/order/sales_order_base.html
index 6028157a22..70505ddccc 100644
--- a/InvenTree/order/templates/order/sales_order_base.html
+++ b/InvenTree/order/templates/order/sales_order_base.html
@@ -32,7 +32,12 @@ src="{% static 'img/blank_image.png' %}"
 
 <h3>{% trans "Sales Order" %} {% sales_order_status_label order.status large=True %}</h3>
 <hr>
-<h4>{{ order }}</h4>
+<h4>
+    {{ order }}
+    {% if user.is_staff and perms.order.change_salesorder %}
+    <a href="{% url 'admin:order_salesorder_change' order.pk %}"><span title='{% trans "Admin view" %}' class='fas fa-user-shield'></span></a>
+    {% endif %}
+</h4>
 <p>{{ order.description }}</p>
 <div class='btn-row'>
     <div class='btn-group action-buttons'>
diff --git a/InvenTree/part/templates/part/category.html b/InvenTree/part/templates/part/category.html
index 58332b1a0c..528fdc135d 100644
--- a/InvenTree/part/templates/part/category.html
+++ b/InvenTree/part/templates/part/category.html
@@ -9,7 +9,7 @@
         {% if category %}
         <h3>
             {{ category.name }}
-            {% if user.is_staff %}
+            {% if user.is_staff and perms.part.change_partcategory %}
             <a href="{% url 'admin:part_partcategory_change' category.pk %}"><span title="{% trans 'Admin view' %}" class='fas fa-user-shield'></span></a>
             {% endif %}
         </h3>
diff --git a/InvenTree/part/templates/part/part_base.html b/InvenTree/part/templates/part/part_base.html
index e5dcd9e24e..1de4976740 100644
--- a/InvenTree/part/templates/part/part_base.html
+++ b/InvenTree/part/templates/part/part_base.html
@@ -28,7 +28,7 @@
     <div class="media-body">
         <h3>
             {{ part.full_name }}
-            {% if user.is_staff %}
+            {% if user.is_staff and perms.part.change_part %}
             <a  href="{% url 'admin:part_part_change' part.pk %}"><span title="{% trans 'Admin view' %}" class='fas fa-user-shield'></span></a>
             {% endif %}
             {% if not part.active %}
diff --git a/InvenTree/stock/templates/stock/item_base.html b/InvenTree/stock/templates/stock/item_base.html
index c6de4c058f..b3fb9af743 100644
--- a/InvenTree/stock/templates/stock/item_base.html
+++ b/InvenTree/stock/templates/stock/item_base.html
@@ -65,7 +65,7 @@ InvenTree | {% trans "Stock Item" %} - {{ item }}
 {% else %}
     <a href='{% url "part-detail" item.part.pk %}'>{{ item.part.full_name }}</a> &times {% decimal item.quantity %}
 {% endif %}
-{% if user.is_staff %}
+{% if user.is_staff and perms.stock.change_stockitem %}
     <a  href="{% url 'admin:stock_stockitem_change' item.pk %}"><span title="{% trans 'Admin view' %}" class='fas fa-user-shield'></span></a>
 {% endif %}
 </h4>
diff --git a/InvenTree/stock/templates/stock/location.html b/InvenTree/stock/templates/stock/location.html
index 802175ff53..2f319f4925 100644
--- a/InvenTree/stock/templates/stock/location.html
+++ b/InvenTree/stock/templates/stock/location.html
@@ -8,7 +8,7 @@
     {% if location %}
     <h3>
         {{ location.name }}
-        {% if user.is_staff %}
+        {% if user.is_staff and perms.stock.change_stocklocation %}
         <a  href="{% url 'admin:stock_stocklocation_change' location.pk %}"><span title="{% trans 'Admin view' %}" class='fas fa-user-shield'></span></a>
         {% endif %}
     </h3>

From 81864a6ab88ca9c4bf8e0a3c082d567db6e61896 Mon Sep 17 00:00:00 2001
From: Oliver Walters <oliver.henry.walters@gmail.com>
Date: Thu, 1 Oct 2020 00:00:37 +1000
Subject: [PATCH 2/4] Fix button layout for stock table

---
 InvenTree/part/templates/part/category.html |  6 ++--
 InvenTree/templates/stock_table.html        | 32 +++++++++++----------
 2 files changed, 20 insertions(+), 18 deletions(-)

diff --git a/InvenTree/part/templates/part/category.html b/InvenTree/part/templates/part/category.html
index 528fdc135d..a79bfcbe84 100644
--- a/InvenTree/part/templates/part/category.html
+++ b/InvenTree/part/templates/part/category.html
@@ -114,9 +114,9 @@
                 </ul>
             </div>
         </div>
-        <div class='filter-list' id='filter-list-parts'>
-            <!-- Empty div -->
-        </div>
+    </div>
+    <div class='filter-list' id='filter-list-parts'>
+        <!-- Empty div -->
     </div>
 </div>
 
diff --git a/InvenTree/templates/stock_table.html b/InvenTree/templates/stock_table.html
index 50d18c6386..c41d2181c9 100644
--- a/InvenTree/templates/stock_table.html
+++ b/InvenTree/templates/stock_table.html
@@ -2,22 +2,24 @@
 
 <div id='button-toolbar'>
     <div class='button-toolbar container-fluid' style='float: right;'>
-        <button class='btn btn-default' id='stock-export' title='{% trans "Export Stock Information" %}'>{% trans "Export" %}</button>
-        {% if read_only %}
-        {% else %}
-        <button class="btn btn-success" id='item-create'>{% trans "New Stock Item" %}</button>
-        <div class="btn-group">
-            <button id='stock-options' class="btn btn-primary dropdown-toggle" type="button" data-toggle="dropdown">{% trans "Options" %}<span class="caret"></span></button>
-            <ul class="dropdown-menu">
-                <li><a href="#" id='multi-item-add' title='{% trans "Add to selected stock items" %}'>{% trans "Add stock" %}</a></li>
-                <li><a href="#" id='multi-item-remove' title='{% trans "Remove from selected stock items" %}'>{% trans "Remove stock" %}</a></li>
-                <li><a href="#" id='multi-item-stocktake' title='{% trans "Stocktake selected stock items" %}'>{% trans "Count stock" %}</a></li>
-                <li><a href='#' id='multi-item-move' title='{% trans "Move selected stock items" %}'>{% trans "Move stock" %}</a></li>
-                <li><a href='#' id='multi-item-order' title='{% trans "Order selected items" %}'>{% trans "Order stock" %}</a></li>
-                <li><a href='#' id='multi-item-delete' title='{% trans "Delete selected items" %}'>{% trans "Delete Stock" %}</a></li>
-            </ul>
+        <div class='btn-group'>
+            <button class='btn btn-default' id='stock-export' title='{% trans "Export Stock Information" %}'>{% trans "Export" %}</button>
+            {% if read_only %}
+            {% else %}
+            <button class="btn btn-success" id='item-create'>{% trans "New Stock Item" %}</button>
+            <div class="btn-group">
+                <button id='stock-options' class="btn btn-primary dropdown-toggle" type="button" data-toggle="dropdown">{% trans "Options" %}<span class="caret"></span></button>
+                <ul class="dropdown-menu">
+                    <li><a href="#" id='multi-item-add' title='{% trans "Add to selected stock items" %}'>{% trans "Add stock" %}</a></li>
+                    <li><a href="#" id='multi-item-remove' title='{% trans "Remove from selected stock items" %}'>{% trans "Remove stock" %}</a></li>
+                    <li><a href="#" id='multi-item-stocktake' title='{% trans "Stocktake selected stock items" %}'>{% trans "Count stock" %}</a></li>
+                    <li><a href='#' id='multi-item-move' title='{% trans "Move selected stock items" %}'>{% trans "Move stock" %}</a></li>
+                    <li><a href='#' id='multi-item-order' title='{% trans "Order selected items" %}'>{% trans "Order stock" %}</a></li>
+                    <li><a href='#' id='multi-item-delete' title='{% trans "Delete selected items" %}'>{% trans "Delete Stock" %}</a></li>
+                </ul>
+            </div>
+            {% endif %}
         </div>
-        {% endif %}
         <div class='filter-list' id='filter-list-stock'>
             <!-- An empty div in which the filter list will be constructed -->
         </div>

From 56660d52f282437de12c4007cd7b8f004dc9e9cf Mon Sep 17 00:00:00 2001
From: Oliver Walters <oliver.henry.walters@gmail.com>
Date: Thu, 1 Oct 2020 00:09:21 +1000
Subject: [PATCH 3/4] Add "permission denied" message on modal forms

---
 .../InvenTree/static/script/inventree/modals.js      | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/InvenTree/InvenTree/static/script/inventree/modals.js b/InvenTree/InvenTree/static/script/inventree/modals.js
index 1cb5346a68..80ada1596f 100644
--- a/InvenTree/InvenTree/static/script/inventree/modals.js
+++ b/InvenTree/InvenTree/static/script/inventree/modals.js
@@ -807,7 +807,19 @@ function launchModalForm(url, options = {}) {
             }
         },
         error: function (xhr, ajaxOptions, thrownError) {
+
             $(modal).modal('hide');
+
+            // Permission denied!
+            if (xhr.status == 403) {
+                showAlertDialog(
+                    "Permission Denied",
+                    "You do not have the required permissions to access this function"
+                );
+
+                return;
+            }
+
             showAlertDialog('Error requesting form data', renderErrorMessage(xhr));
         }
     };

From 626d0266c8c171c64fe59557ed28480607b62e7c Mon Sep 17 00:00:00 2001
From: Oliver Walters <oliver.henry.walters@gmail.com>
Date: Thu, 1 Oct 2020 00:16:04 +1000
Subject: [PATCH 4/4] Add framework for required permissions for any ajax modal
 forms

- Default permissions of "*" will not immediately change any modal forms
- Set the permission_required attribute of any modal form for this to be implemented
---
 InvenTree/InvenTree/views.py | 24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/InvenTree/InvenTree/views.py b/InvenTree/InvenTree/views.py
index 3f9bc5b0a9..d940229ebe 100644
--- a/InvenTree/InvenTree/views.py
+++ b/InvenTree/InvenTree/views.py
@@ -13,6 +13,8 @@ from django.template.loader import render_to_string
 from django.http import JsonResponse, HttpResponseRedirect
 from django.urls import reverse_lazy
 
+from django.contrib.auth.mixins import PermissionRequiredMixin
+
 from django.views import View
 from django.views.generic import UpdateView, CreateView, FormView
 from django.views.generic.base import TemplateView
@@ -105,12 +107,32 @@ class TreeSerializer(views.APIView):
         return JsonResponse(response, safe=False)
 
 
-class AjaxMixin(object):
+class AjaxMixin(PermissionRequiredMixin):
     """ AjaxMixin provides basic functionality for rendering a Django form to JSON.
     Handles jsonResponse rendering, and adds extra data for the modal forms to process
     on the client side.
+
+    Any view which inherits the AjaxMixin will need
+    correct permissions set using the 'permission_required' attribute
+
     """
 
+    # By default, allow *any* permissions
+    permission_required = '*'
+
+    def has_permission(self):
+        """
+        Override the default behaviour of has_permission from PermissionRequiredMixin.
+
+        Basically, if permission_required attribute = '*',
+        no permissions are actually required!
+        """
+
+        if self.permission_required == '*':
+            return True
+        else:
+            return super().has_permission()
+
     # By default, point to the modal_form template
     # (this can be overridden by a child class)
     ajax_template_name = 'modal_form.html'