Merge pull request #2609 from eeintech/child_model_permissions

Child model permissions

InvenTree/users/models.py

@@ -176,6 +176,11 @@ class RuleSet(models.Model):
         'django_q_success',
     ]
 
+    RULESET_CHANGE_INHERIT = [
+        ('part', 'partparameter'),
+        ('part', 'bomitem'),
+    ]
+
     RULE_OPTIONS = [
         'can_view',
         'can_add',
@@ -228,6 +233,16 @@ class RuleSet(models.Model):
                 if check_user_role(user, role, permission):
                     return True
 
+        # Check for children models which inherits from parent role
+        for (parent, child) in cls.RULESET_CHANGE_INHERIT:
+            # Get child model name
+            parent_child_string = f'{parent}_{child}'
+
+            if parent_child_string == table:
+                # Check if parent role has change permission
+                if check_user_role(user, parent, 'change'):
+                    return True
+
         # Print message instead of throwing an error
         name = getattr(user, 'name', user.pk)
 
@@ -453,6 +468,28 @@ def update_group_roles(group, debug=False):
         if debug:
             print(f"Removing permission {perm} from group {group.name}")
 
+    # Enable all action permissions for certain children models
+    # if parent model has 'change' permission
+    for (parent, child) in RuleSet.RULESET_CHANGE_INHERIT:
+        parent_change_perm = f'{parent}.change_{parent}'
+        parent_child_string = f'{parent}_{child}'
+
+        # Check if parent change permission exists
+        if parent_change_perm in group_permissions:
+            # Add child model permissions
+            for action in ['add', 'change', 'delete']:
+                child_perm = f'{parent}.{action}_{child}'
+
+                # Check if child permission not already in group
+                if child_perm not in group_permissions:
+                    # Create permission object
+                    add_model(parent_child_string, action, ruleset.can_delete)
+                    # Add to group
+                    permission = get_permission_object(child_perm)
+                    if permission:
+                        group.permissions.add(permission)
+                        print(f"Adding permission {child_perm} to group {group.name}")
+
 
 @receiver(post_save, sender=Group, dispatch_uid='create_missing_rule_sets')
 def create_missing_rule_sets(sender, instance, **kwargs):