mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-07-04 17:59:13 +00:00
Code Issues 32 Releases Wiki Activity

[per-object-permissions] Fixes problem with one-to-one relationships as the original code assumed every model had an id attribute, now uses "_get_pk_val()" to determine the model id.

Browse Source 
git-svn-id: http://code.djangoproject.com/svn/django/branches/per-object-permissions@3752 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Christopher Long 2006-09-12 15:04:29 +00:00
parent e12c2f83e0
commit 00972e69b6
3 changed files with 11 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
django/contrib/admin/row_level_perm_manipulator.py
View File

@ -33,13 +33,14 @@ class ChangeRLPManipulator(forms.Manipulator):
model_ct = rlp.model_ct
model = model_ct.get_object_for_this_type (pk=rlp.model_id)
model_id = rlp.model_id
perm = Permission.objects.get(pk=new_data['perm'])
field_name_list = ('owner_ct', 'owner_id', 'model_ct', 'model_id', 'permission')
field_data = owner_ct.id
all_data = {'owner_id':owner.id, 'model_ct_id':model_ct.id, 'model_id':model.id, 'permission_id':perm.id}
all_data = {'owner_id':owner.id, 'model_ct_id':model_ct.id, 'model_id':model_id, 'permission_id':perm.id}
manipulators.manipulator_validator_unique_together(field_name_list, self.opts, self, field_data, all_data)
rlp.owner = owner

6
django/contrib/admin/views/row_level_permissions.py
View File

@ -128,10 +128,8 @@ def delete_row_level_permission(request, app_label, model_name, object_id, ct_id
raise PermissionDenied
if not request.user.has_perm(rlp._meta.app_label + '.' + rlp._meta.get_delete_permission()):
print "BAM"
raise PermissionDenied
if not request.user.has_perm(obj._meta.app_label + '.' + obj._meta.get_change_permission(), object=obj):
print "BOOM"
raise PermissionDenied
rlp.delete()
@ -218,7 +216,9 @@ def change_row_level_permission(request, app_label, model_name, object_id, ct_id
raise PermissionDenied
obj = rlp.model
if model_instance.id is not obj.id:
model_id = model_instance._get_pk_val()
object_id = obj._get_pk_val()
if model_id is not object_id:
raise PermissionDenied
if not request.user.has_perm(rlp._meta.app_label + '.' + rlp._meta.get_change_permission(), object=obj):

10
django/contrib/auth/models.py
View File

@ -54,8 +54,8 @@ class RowLevelPermissionManager(models.Manager):
permission = Permission.objects.get(codename__exact=permission, content_type=model_ct.id)
if model_ct != permission.content_type:
raise TypeError, "Invalid value: Permission content type(%s) and object content type(%s) do not match" % (permission.content_type, type_ct)
rowLvlPerm = self.model(model_id=model_instance.id, model_ct=model_ct,
model_id = model_instance._get_pk_val()
rowLvlPerm = self.model(model_id=model_id, model_ct=model_ct,
owner_id=owner.id, owner_ct=ContentType.objects.get_for_model(owner),
permission=permission, negative=negative)
rowLvlPerm.save()
@ -287,7 +287,8 @@ class User(models.Model):
except Permission.DoesNotExist:
return False
try:
row_level_perm=self.row_level_permissions_owned.get(model_id=object.id,
model_id = object._get_pk_val()
row_level_perm=self.row_level_permissions_owned.get(model_id=model_id,
model_ct=object_ct.id,
permission=permission.id)
except RowLevelPermission.DoesNotExist:
@ -303,6 +304,7 @@ class User(models.Model):
#AND rlp."model_id"=%s
#AND rlp."model_ct_id"=%s
#AND rlp."permission_id"=%s;
model_id = object._get_pk_val()
cursor = connection.cursor()
sql = """
SELECT rlp.%s
@ -322,7 +324,7 @@ class User(models.Model):
backend.quote_name('negative'))
cursor.execute(sql, [self.id,
ContentType.objects.get_for_model(Group).id,
object.id,
model_id,
ContentType.objects.get_for_model(object).id,
permission.id,])
row = cursor.fetchone()