[per-object-permissions] Fixed some problems with checking of permissions

git-svn-id: http://code.djangoproject.com/svn/django/branches/per-object-permissions@3487 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2025-07-05 02:09:13 +00:00 · 2006-07-29 18:27:50 +00:00 · 2006-07-29 18:27:50 +00:00 · 68072fa75c
commit 68072fa75c
parent 340718bd3a
3 changed files with 20 additions and 12 deletions
--- a/django/contrib/admin/templates/admin/change_form.html
+++ b/django/contrib/admin/templates/admin/change_form.html
@ -66,7 +66,7 @@
 </div>
 </form>

-{% if rlp_form_list %}
+{% if new_rlp_form  %}
 {% include "admin/row_level_permission.html" %}
 {% endif %}

--- a/django/contrib/admin/views/main.py
+++ b/django/contrib/admin/views/main.py
@ -391,7 +391,6 @@ def change_stage(request, app_label, model_name, object_id):
        'object_id': object_id,
        'original': manipulator.original_object,
        'is_popup': request.REQUEST.has_key('_popup'),
-        'is_row_level_perm': model._meta.row_level_permissions,
    })

    if model._meta.row_level_permissions:
--- a/django/contrib/admin/views/row_level_permissions.py
+++ b/django/contrib/admin/views/row_level_permissions.py
@ -4,6 +4,7 @@ from django.http import Http404, HttpResponse, HttpResponseRedirect
 from django.contrib.contenttypes.models import ContentType
 from django.contrib.auth.models import RowLevelPermission
 from django.contrib.admin.row_level_perm_manipulator import AddRLPManipulator, ChangeRLPManipulator
+from django.core.exceptions import ImproperlyConfigured, ObjectDoesNotExist, PermissionDenied
 import simplejson

 def delete_row_level_permission(request, ct_id, rlp_id, hash, ajax=None):
@ -15,7 +16,7 @@ def delete_row_level_permission(request, ct_id, rlp_id, hash, ajax=None):
        opts = rlp._meta
        if not request.user.has_perm(opts.app_label + '.' + opts.get_delete_permission()):
            raise PermissionDenied   
-        if not request.user.has_perm(obj._meta.app_label + '.' + obj._meta.get_delete_permission()):
+        if not request.user.has_perm(obj._meta.app_label + '.' + obj._meta.get_change_permission()()):
            raise PermissionDenied           
        rlp.delete()
        msg = {"result":True, "text":_("Row level permission was successful deleted"), "id":rlp_id}
@ -39,7 +40,10 @@ def add_row_level_permission(request, ct_id, obj_id, ajax=None):
    ct = get_object_or_404(ContentType, pk=ct_id)
    obj = get_object_or_404(ct.model_class(), pk=obj_id)

-    if not request.user.has_perm(obj._meta.app_label + '.' + obj._meta.get_add_permission()):
+    if not request.user.has_perm(obj._meta.app_label + '.' + obj._meta.get_change_permission()):
+        raise PermissionDenied  
+
+    if not request.user.has_perm(RowLevelPermission._meta.app_label + '.' + RowLevelPermission._meta.get_add_permission()):
        raise PermissionDenied
    
    manip = AddRLPManipulator(obj, ct)
@ -54,7 +58,10 @@ def add_row_level_permission(request, ct_id, obj_id, ajax=None):
    except validators.ValidationError:
        msg = {"result":False, "text":_("A row level permission already exists with the specified values.")}
    else:
-        msg = {"result":True, "text":_("Row level permission has successful been added.")}
+        if len(rlp_list) is 1:
+            msg = {"result":True, "text":_("Row level permission has successfully been added.")}
+        else:
+            msg = {"result":True, "text":_("Row level permissions have successfully been added.")}
    if not ajax:
        request.user.message_set.create(message=msg['text'])
        return HttpResponseRedirect("../../../../../%s/%s/%s" % (obj._meta.app_label, obj._meta.module_name , str(obj.id)))
@ -80,12 +87,14 @@ def change_row_level_permission(request, ct_id, rlp_id, hash, ajax=None):
        request.user.message_set.create(message=msg['text'])
        return HttpResponseRedirect("/edit/%s/%s" % (obj_type, obj_id))         
    
-    obj = get_object_or_404(RowLevelPermission, pk=rlp_id)
-    opts = obj._meta
+    rlp = get_object_or_404(RowLevelPermission, pk=rlp_id)
+    opts = rlp._meta
+    if not request.user.has_perm(opts.app_label + '.' + opts.get_add_permission()):
+        raise PermissionDenied  

-    #if not request.user.has_perm(app_label + '.' + opts.get_change_permission()):
-    #if not request.user.has_perm(opts.get_change_permission()):
-        #raise PermissionDenied    
+    object_model = rlp.type_ct.model_class()
+    if not request.user.has_perm(object_model._meta.app_label + '.' + object_model._meta.get_change_permission()):
+        raise PermissionDenied
    
    manip = ChangeRLPManipulator()
    new_data = request.POST.copy()
@ -102,4 +111,4 @@ def change_row_level_permission(request, ct_id, rlp_id, hash, ajax=None):
    if ajax:
        return HttpResponse(simplejson.dumps(msg), 'text/javascript')
    request.user.message_set.create(message=msg['text'])
-    return HttpResponseRedirect("../../../../../../%s/%s/%s" % (new_rlp.type._meta.app_label, new_rlp.type._meta.module_name , str(rlp.type_id)))
+    return HttpResponseRedirect("../../../../../../%s/%s/%s" % (object_model._meta.app_label, object_model._meta.module_name , str(rlp.type_id)))