From 8a38dfaa83d613982dbc844ac91dc49bbe7f7227 Mon Sep 17 00:00:00 2001
From: Christopher Long <indirecthit@gmail.com>
Date: Sun, 20 Aug 2006 20:54:37 +0000
Subject: [PATCH] [per-object-permissions] Updated admin pages to use
 contains_permission, this means the admin interface will now show the change
 list link to a user even if they only have change row level permissions on
 one of the objects. Right now, it does list all the objects and does not
 filter out those that the user does not have permissions on.

git-svn-id: http://code.djangoproject.com/svn/django/branches/per-object-permissions@3625 bcc190cf-cafb-0310-a4f2-bffc1f526a37
---
 .../admin/templatetags/adminapplist.py        | 14 ++++++++----
 django/contrib/admin/views/main.py            | 22 +++++++++++--------
 2 files changed, 23 insertions(+), 13 deletions(-)

diff --git a/django/contrib/admin/templatetags/adminapplist.py b/django/contrib/admin/templatetags/adminapplist.py
index 5a8e288e27..4eeef1b0cf 100644
--- a/django/contrib/admin/templatetags/adminapplist.py
+++ b/django/contrib/admin/templatetags/adminapplist.py
@@ -27,11 +27,17 @@ class AdminApplistNode(template.Node):
                 for m in app_models:
                     if m._meta.admin:
                         if not m._meta.admin.hidden:
+                            #perms = {
+                                #'add': user.has_perm("%s.%s" % (app_label, m._meta.get_add_permission())),
+                                #'change': user.has_perm("%s.%s" % (app_label, m._meta.get_change_permission())),
+                                #'delete': user.has_perm("%s.%s" % (app_label, m._meta.get_delete_permission())),
+                            #}
+    
                             perms = {
-                                'add': user.has_perm("%s.%s" % (app_label, m._meta.get_add_permission())),
-                                'change': user.has_perm("%s.%s" % (app_label, m._meta.get_change_permission())),
-                                'delete': user.has_perm("%s.%s" % (app_label, m._meta.get_delete_permission())),
-                            }
+                                'add': user.contains_permission("%s.%s" % (app_label, m._meta.get_add_permission()), m),
+                                'change': user.contains_permission("%s.%s" % (app_label, m._meta.get_change_permission()), m),
+                                'delete': user.contains_permission("%s.%s" % (app_label, m._meta.get_delete_permission()), m),
+                            }    
     
                             # Check whether user has any perm for this module.
                             # If so, add the module to the model_list.
diff --git a/django/contrib/admin/views/main.py b/django/contrib/admin/views/main.py
index 4c76502a67..9cc2a697f9 100644
--- a/django/contrib/admin/views/main.py
+++ b/django/contrib/admin/views/main.py
@@ -311,16 +311,18 @@ def change_stage(request, app_label, model_name, object_id):
         raise Http404, "App %r, model %r, not found" % (app_label, model_name)
     opts = model._meta
 
-    if not request.user.has_perm(app_label + '.' + opts.get_change_permission()):
+    try:
+        manipulator = model.ChangeManipulator(object_id)
+    except ObjectDoesNotExist:
+        raise Http404
+
+    if not request.user.has_perm(app_label + '.' + opts.get_change_permission(), object=manipulator.original_object):
         raise PermissionDenied
 
     if request.POST and request.POST.has_key("_saveasnew"):
         return add_stage(request, app_label, model_name, form_url='../../add/')
 
-    try:
-        manipulator = model.ChangeManipulator(object_id)
-    except ObjectDoesNotExist:
-        raise Http404
+
 
     if request.POST:
         new_data = request.POST.copy()
@@ -418,7 +420,7 @@ def _get_deleted_objects(deleted_objects, perms_needed, user, obj, opts, current
     if current_depth > 16:
         return # Avoid recursing too deep.
     opts_seen = []
-    for related in opts.get_all_related_objects():
+    for related in opts.related_objects():
         if related.opts in opts_seen:
             continue
         opts_seen.append(related.opts)
@@ -501,10 +503,12 @@ def delete_stage(request, app_label, model_name, object_id):
     if model is None:
         raise Http404, "App %r, model %r, not found" % (app_label, model_name)
     opts = model._meta
-    if not request.user.has_perm(app_label + '.' + opts.get_delete_permission()):
-        raise PermissionDenied
+
     obj = get_object_or_404(model, pk=object_id)
 
+    if not request.user.has_perm(app_label + '.' + opts.get_delete_permission(), object=obj):
+        raise PermissionDenied
+
     # Populate deleted_objects, a data structure of all related objects that
     # will also be deleted.
     deleted_objects = ['%s: <a href="../../%s/">%s</a>' % (capfirst(opts.verbose_name), object_id, escape(str(obj))), []]
@@ -741,7 +745,7 @@ def change_list(request, app_label, model_name):
     model = models.get_model(app_label, model_name)
     if model is None:
         raise Http404, "App %r, model %r, not found" % (app_label, model_name)
-    if not request.user.has_perm(app_label + '.' + model._meta.get_change_permission()):
+    if not request.user.contains_permission(app_label + '.' + model._meta.get_change_permission(), model):
         raise PermissionDenied
     try:
         cl = ChangeList(request, model)