Merge pull request #1010 from SchrodingersGat/admin-permission-fixes

Update admin links to require specific permissions
This commit is contained in:
Oliver 2020-10-01 00:37:43 +10:00 committed by GitHub
commit 4f648f8787
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 73 additions and 27 deletions

View File

@ -807,7 +807,19 @@ function launchModalForm(url, options = {}) {
}
},
error: function (xhr, ajaxOptions, thrownError) {
$(modal).modal('hide');
// Permission denied!
if (xhr.status == 403) {
showAlertDialog(
"Permission Denied",
"You do not have the required permissions to access this function"
);
return;
}
showAlertDialog('Error requesting form data', renderErrorMessage(xhr));
}
};

View File

@ -13,6 +13,8 @@ from django.template.loader import render_to_string
from django.http import JsonResponse, HttpResponseRedirect
from django.urls import reverse_lazy
from django.contrib.auth.mixins import PermissionRequiredMixin
from django.views import View
from django.views.generic import UpdateView, CreateView, FormView
from django.views.generic.base import TemplateView
@ -105,12 +107,32 @@ class TreeSerializer(views.APIView):
return JsonResponse(response, safe=False)
class AjaxMixin(object):
class AjaxMixin(PermissionRequiredMixin):
""" AjaxMixin provides basic functionality for rendering a Django form to JSON.
Handles jsonResponse rendering, and adds extra data for the modal forms to process
on the client side.
Any view which inherits the AjaxMixin will need
correct permissions set using the 'permission_required' attribute
"""
# By default, allow *any* permissions
permission_required = '*'
def has_permission(self):
"""
Override the default behaviour of has_permission from PermissionRequiredMixin.
Basically, if permission_required attribute = '*',
no permissions are actually required!
"""
if self.permission_required == '*':
return True
else:
return super().has_permission()
# By default, point to the modal_form template
# (this can be overridden by a child class)
ajax_template_name = 'modal_form.html'

View File

@ -35,7 +35,7 @@ src="{% static 'img/blank_image.png' %}"
<hr>
<h4>
{{ build.quantity }} x {{ build.part.full_name }}
{% if user.is_staff %}
{% if user.is_staff and perms.build.change_build %}
<a href="{% url 'admin:build_build_change' build.pk %}"><span title="{% trans 'Admin view' %}" class='fas fa-user-shield'></span></a>
{% endif %}
</h4>

View File

@ -23,7 +23,7 @@ InvenTree | {% trans "Company" %} - {{ company.name }}
<hr>
<h4>
{{ company.name }}
{% if user.is_staff %}
{% if user.is_staff and perms.company.change_company %}
<a href="{% url 'admin:company_company_change' company.pk %}"><span title="{% trans 'Admin view' %}" class='fas fa-user-shield'></span></a>
{% endif %}
</h4>

View File

@ -22,7 +22,12 @@ src="{% static 'img/blank_image.png' %}"
{% block page_data %}
<h3>{% trans "Purchase Order" %} {% purchase_order_status_label order.status large=True %}</h3>
<hr>
<h4>{{ order }}</h4>
<h4>
{{ order }}
{% if user.is_staff and perms.order.change_purchaseorder %}
<a href="{% url 'admin:order_purchaseorder_change' order.pk %}"><span title='{% trans "Admin view" %}' class='fas fa-user-shield'></span></a>
{% endif %}
</h4>
<p>{{ order.description }}</p>
<p>
<div class='btn-row'>

View File

@ -32,7 +32,12 @@ src="{% static 'img/blank_image.png' %}"
<h3>{% trans "Sales Order" %} {% sales_order_status_label order.status large=True %}</h3>
<hr>
<h4>{{ order }}</h4>
<h4>
{{ order }}
{% if user.is_staff and perms.order.change_salesorder %}
<a href="{% url 'admin:order_salesorder_change' order.pk %}"><span title='{% trans "Admin view" %}' class='fas fa-user-shield'></span></a>
{% endif %}
</h4>
<p>{{ order.description }}</p>
<div class='btn-row'>
<div class='btn-group action-buttons'>

View File

@ -9,7 +9,7 @@
{% if category %}
<h3>
{{ category.name }}
{% if user.is_staff %}
{% if user.is_staff and perms.part.change_partcategory %}
<a href="{% url 'admin:part_partcategory_change' category.pk %}"><span title="{% trans 'Admin view' %}" class='fas fa-user-shield'></span></a>
{% endif %}
</h3>
@ -114,10 +114,10 @@
</ul>
</div>
</div>
</div>
<div class='filter-list' id='filter-list-parts'>
<!-- Empty div -->
</div>
</div>
</div>
<table class='table table-striped table-condensed' data-toolbar='#button-toolbar' id='part-table'>

View File

@ -28,7 +28,7 @@
<div class="media-body">
<h3>
{{ part.full_name }}
{% if user.is_staff %}
{% if user.is_staff and perms.part.change_part %}
<a href="{% url 'admin:part_part_change' part.pk %}"><span title="{% trans 'Admin view' %}" class='fas fa-user-shield'></span></a>
{% endif %}
{% if not part.active %}

View File

@ -65,7 +65,7 @@ InvenTree | {% trans "Stock Item" %} - {{ item }}
{% else %}
<a href='{% url "part-detail" item.part.pk %}'>{{ item.part.full_name }}</a> &times {% decimal item.quantity %}
{% endif %}
{% if user.is_staff %}
{% if user.is_staff and perms.stock.change_stockitem %}
<a href="{% url 'admin:stock_stockitem_change' item.pk %}"><span title="{% trans 'Admin view' %}" class='fas fa-user-shield'></span></a>
{% endif %}
</h4>

View File

@ -8,7 +8,7 @@
{% if location %}
<h3>
{{ location.name }}
{% if user.is_staff %}
{% if user.is_staff and perms.stock.change_stocklocation %}
<a href="{% url 'admin:stock_stocklocation_change' location.pk %}"><span title="{% trans 'Admin view' %}" class='fas fa-user-shield'></span></a>
{% endif %}
</h3>

View File

@ -2,6 +2,7 @@
<div id='button-toolbar'>
<div class='button-toolbar container-fluid' style='float: right;'>
<div class='btn-group'>
<button class='btn btn-default' id='stock-export' title='{% trans "Export Stock Information" %}'>{% trans "Export" %}</button>
{% if read_only %}
{% else %}
@ -18,6 +19,7 @@
</ul>
</div>
{% endif %}
</div>
<div class='filter-list' id='filter-list-stock'>
<!-- An empty div in which the filter list will be constructed -->
</div>