8
0
Fork 0
mirror of https://gitlab2.federez.net/re2o/re2o synced 2024-11-27 07:02:26 +00:00

Fix acl when viewing history of deleted object or all history.

This commit is contained in:
Hugo Levy-Falk 2020-08-28 22:00:43 +01:00 committed by Gabriel Detraz
parent 652982941a
commit 0051099267

View file

@ -98,7 +98,13 @@ from re2o.utils import (
all_active_interfaces_count, all_active_interfaces_count,
) )
from re2o.base import re2o_paginator, SortTable from re2o.base import re2o_paginator, SortTable
from re2o.acl import can_view_all, can_view_app, can_edit_history, can_view from re2o.acl import (
can_view_all,
can_view_app,
can_edit_history,
can_view,
acl_error_message,
)
from .models import ( from .models import (
ActionsSearch, ActionsSearch,
@ -109,6 +115,8 @@ from .models import (
from .forms import ActionsSearchForm, MachineHistorySearchForm from .forms import ActionsSearchForm, MachineHistorySearchForm
from .acl import can_view as can_view_logs
@login_required @login_required
@can_view_app("logs") @can_view_app("logs")
@ -536,12 +544,11 @@ def get_history_object(request, model, object_name, object_id):
instance = None instance = None
if instance is None: if instance is None:
# TODO : THIS IS A DECORATOR, YOU CANNOT USE IT LIKE THIS. AS IT, IT authorized, msg, permissions = can_view_logs(request.user)
# WILL ALLOW ANYONE TO SEE THE HISTORY OF A DELETED OBJECT.
authorized = can_view_app("logs")
msg = None
else: else:
authorized, msg, _permissions = instance.can_view(request.user) authorized, msg, permissions = instance.can_view(request.user)
msg = acl_error_message(msg, permissions)
if not authorized: if not authorized:
messages.error( messages.error(