From 68072fa75c56c040b18c2fc43e96acc3f734fa67 Mon Sep 17 00:00:00 2001
From: Christopher Long <indirecthit@gmail.com>
Date: Sat, 29 Jul 2006 18:27:50 +0000
Subject: [PATCH] [per-object-permissions] Fixed some problems with checking of
 permissions

git-svn-id: http://code.djangoproject.com/svn/django/branches/per-object-permissions@3487 bcc190cf-cafb-0310-a4f2-bffc1f526a37
---
 .../admin/templates/admin/change_form.html    |  2 +-
 django/contrib/admin/views/main.py            |  1 -
 .../admin/views/row_level_permissions.py      | 29 ++++++++++++-------
 3 files changed, 20 insertions(+), 12 deletions(-)

diff --git a/django/contrib/admin/templates/admin/change_form.html b/django/contrib/admin/templates/admin/change_form.html
index 5dddfa26ae..3e340615a7 100644
--- a/django/contrib/admin/templates/admin/change_form.html
+++ b/django/contrib/admin/templates/admin/change_form.html
@@ -66,7 +66,7 @@
 </div>
 </form>
 
-{% if rlp_form_list %}
+{% if new_rlp_form  %}
 {% include "admin/row_level_permission.html" %}
 {% endif %}
 
diff --git a/django/contrib/admin/views/main.py b/django/contrib/admin/views/main.py
index 168199a54d..6ac7ccb276 100644
--- a/django/contrib/admin/views/main.py
+++ b/django/contrib/admin/views/main.py
@@ -391,7 +391,6 @@ def change_stage(request, app_label, model_name, object_id):
         'object_id': object_id,
         'original': manipulator.original_object,
         'is_popup': request.REQUEST.has_key('_popup'),
-        'is_row_level_perm': model._meta.row_level_permissions,
     })
 
     if model._meta.row_level_permissions:
diff --git a/django/contrib/admin/views/row_level_permissions.py b/django/contrib/admin/views/row_level_permissions.py
index 607c6904cf..0c54ae2e87 100644
--- a/django/contrib/admin/views/row_level_permissions.py
+++ b/django/contrib/admin/views/row_level_permissions.py
@@ -4,6 +4,7 @@ from django.http import Http404, HttpResponse, HttpResponseRedirect
 from django.contrib.contenttypes.models import ContentType
 from django.contrib.auth.models import RowLevelPermission
 from django.contrib.admin.row_level_perm_manipulator import AddRLPManipulator, ChangeRLPManipulator
+from django.core.exceptions import ImproperlyConfigured, ObjectDoesNotExist, PermissionDenied
 import simplejson
 
 def delete_row_level_permission(request, ct_id, rlp_id, hash, ajax=None):
@@ -15,7 +16,7 @@ def delete_row_level_permission(request, ct_id, rlp_id, hash, ajax=None):
         opts = rlp._meta
         if not request.user.has_perm(opts.app_label + '.' + opts.get_delete_permission()):
             raise PermissionDenied   
-        if not request.user.has_perm(obj._meta.app_label + '.' + obj._meta.get_delete_permission()):
+        if not request.user.has_perm(obj._meta.app_label + '.' + obj._meta.get_change_permission()()):
             raise PermissionDenied           
         rlp.delete()
         msg = {"result":True, "text":_("Row level permission was successful deleted"), "id":rlp_id}
@@ -38,9 +39,12 @@ def add_row_level_permission(request, ct_id, obj_id, ajax=None):
 
     ct = get_object_or_404(ContentType, pk=ct_id)
     obj = get_object_or_404(ct.model_class(), pk=obj_id)
- 
-    if not request.user.has_perm(obj._meta.app_label + '.' + obj._meta.get_add_permission()):
+
+    if not request.user.has_perm(obj._meta.app_label + '.' + obj._meta.get_change_permission()):
         raise PermissionDenied  
+
+    if not request.user.has_perm(RowLevelPermission._meta.app_label + '.' + RowLevelPermission._meta.get_add_permission()):
+        raise PermissionDenied
     
     manip = AddRLPManipulator(obj, ct)
     
@@ -54,7 +58,10 @@ def add_row_level_permission(request, ct_id, obj_id, ajax=None):
     except validators.ValidationError:
         msg = {"result":False, "text":_("A row level permission already exists with the specified values.")}
     else:
-        msg = {"result":True, "text":_("Row level permission has successful been added.")}
+        if len(rlp_list) is 1:
+            msg = {"result":True, "text":_("Row level permission has successfully been added.")}
+        else:
+            msg = {"result":True, "text":_("Row level permissions have successfully been added.")}
     if not ajax:
         request.user.message_set.create(message=msg['text'])
         return HttpResponseRedirect("../../../../../%s/%s/%s" % (obj._meta.app_label, obj._meta.module_name , str(obj.id)))
@@ -80,12 +87,14 @@ def change_row_level_permission(request, ct_id, rlp_id, hash, ajax=None):
         request.user.message_set.create(message=msg['text'])
         return HttpResponseRedirect("/edit/%s/%s" % (obj_type, obj_id))         
     
-    obj = get_object_or_404(RowLevelPermission, pk=rlp_id)
-    opts = obj._meta
+    rlp = get_object_or_404(RowLevelPermission, pk=rlp_id)
+    opts = rlp._meta
+    if not request.user.has_perm(opts.app_label + '.' + opts.get_add_permission()):
+        raise PermissionDenied  
 
-    #if not request.user.has_perm(app_label + '.' + opts.get_change_permission()):
-    #if not request.user.has_perm(opts.get_change_permission()):
-        #raise PermissionDenied    
+    object_model = rlp.type_ct.model_class()
+    if not request.user.has_perm(object_model._meta.app_label + '.' + object_model._meta.get_change_permission()):
+        raise PermissionDenied
     
     manip = ChangeRLPManipulator()
     new_data = request.POST.copy()
@@ -102,4 +111,4 @@ def change_row_level_permission(request, ct_id, rlp_id, hash, ajax=None):
     if ajax:
         return HttpResponse(simplejson.dumps(msg), 'text/javascript')
     request.user.message_set.create(message=msg['text'])
-    return HttpResponseRedirect("../../../../../../%s/%s/%s" % (new_rlp.type._meta.app_label, new_rlp.type._meta.module_name , str(rlp.type_id)))
\ No newline at end of file
+    return HttpResponseRedirect("../../../../../../%s/%s/%s" % (object_model._meta.app_label, object_model._meta.module_name , str(rlp.type_id)))
\ No newline at end of file