From 383d0fcc38a629e53ceca727a89d4715d060d845 Mon Sep 17 00:00:00 2001
From: Roberto Rosario <Roberto.Rosario@mayan-edms.com>
Date: Sat, 19 Jan 2019 01:12:39 -0400
Subject: [PATCH] Remove support for raising 404

Remove explict support for raising 404 error when the
object access fails.

The new method to use is to restrict the queryset using
the .restrict_queryset manager method and then .get() the
desired object. If the object access control failed then
the desired object will not be found in the queryset
and an error 404 will be raised. The end result is the same:
error 404, the method to raise the error is what differs now.

Signed-off-by: Roberto Rosario <Roberto.Rosario@mayan-edms.com>
---
 mayan/apps/common/literals.py |  2 +-
 mayan/apps/common/mixins.py   | 43 +++++++++++++----------------------
 mayan/apps/common/views.py    |  4 ++--
 3 files changed, 19 insertions(+), 30 deletions(-)

diff --git a/mayan/apps/common/literals.py b/mayan/apps/common/literals.py
index 80b781da2c..3a6c613a74 100644
--- a/mayan/apps/common/literals.py
+++ b/mayan/apps/common/literals.py
@@ -11,7 +11,7 @@ MESSAGE_SQLITE_WARNING = _(
     'for development and testing, not for production.'
 )
 PYPI_URL = 'https://pypi.python.org/pypi'
-
+PK_LIST_SEPARATOR = ','
 TEXT_LIST_AS_ITEMS_PARAMETER = '_list_mode'
 TEXT_LIST_AS_ITEMS_VARIABLE_NAME = 'list_as_items'
 TEXT_CHOICE_ITEMS = 'items'
diff --git a/mayan/apps/common/mixins.py b/mayan/apps/common/mixins.py
index 103dc36dbe..67132941e2 100644
--- a/mayan/apps/common/mixins.py
+++ b/mayan/apps/common/mixins.py
@@ -16,8 +16,8 @@ from mayan.apps.permissions import Permission
 from .exceptions import ActionError
 from .forms import DynamicForm
 from .literals import (
-    TEXT_CHOICE_ITEMS, TEXT_CHOICE_LIST, TEXT_LIST_AS_ITEMS_PARAMETER,
-    TEXT_LIST_AS_ITEMS_VARIABLE_NAME
+    PK_LIST_SEPARATOR, TEXT_CHOICE_ITEMS, TEXT_CHOICE_LIST,
+    TEXT_LIST_AS_ITEMS_PARAMETER, TEXT_LIST_AS_ITEMS_VARIABLE_NAME
 )
 
 __all__ = (
@@ -73,7 +73,7 @@ class ExtraContextMixin(object):
         return context
 
 
-class ExternalObjectViewMixin(object):
+class ExternalObjectMixin(object):
     external_object_class = None
     external_object_permission = None
     external_object_pk_url_kwarg = 'pk'
@@ -214,7 +214,7 @@ class MultipleObjectMixin(object):
     model = None
     object_permission = None
     pk_list_key = 'id_list'
-    pk_list_separator = ','
+    pk_list_separator = PK_LIST_SEPARATOR
     pk_url_kwarg = 'pk'
     queryset = None
     slug_url_kwarg = 'slug'
@@ -334,7 +334,7 @@ class ObjectListPermissionFilterMixin(object):
 
         if not self.access_object_retrieve_method and self.object_permission:
             return AccessControlList.objects.filter_by_access(
-                obj=self.object_permission, queryset=queryset,
+                permission=self.object_permission, queryset=queryset,
                 user=self.request.user
             )
         else:
@@ -359,38 +359,27 @@ class ObjectNameMixin(object):
 
 class ObjectPermissionCheckMixin(object):
     """
-    If object_permission_raise_404 is True an HTTP 404 error will be raised
-    instead of the normal 403.
+    Filter the queryset of the view by the `object_permission` provided.
+    If no `object_permission` is provide the queryset will be returned
+    as is.
     """
     object_permission = None
-    object_permission_raise_404 = False
 
-    def get_permission_object(self):
-        return self.get_object()
+    def get_queryset(self):
+        queryset = super(ObjectPermissionCheckMixin, self).get_queryset()
 
-    def dispatch(self, request, *args, **kwargs):
         if self.object_permission:
-            try:
-                AccessControlList.objects.check_access(
-                    obj=self.get_permission_object(),
-                    permissions=self.object_permission,
-                    related=getattr(self, 'object_permission_related', None),
-                    user=request.user
-                )
-            except PermissionDenied:
-                if self.object_permission_raise_404:
-                    raise Http404
-                else:
-                    raise
+            return AccessControlList.objects.restrict_queryset(
+                permission=self.object_permission, queryset=queryset,
+                user=self.request.user
+            )
 
-        return super(
-            ObjectPermissionCheckMixin, self
-        ).dispatch(request, *args, **kwargs)
+        return queryset
 
 
 class RedirectionMixin(object):
-    post_action_redirect = None
     action_cancel_redirect = None
+    post_action_redirect = None
 
     def dispatch(self, request, *args, **kwargs):
         post_action_redirect = self.get_post_action_redirect()
diff --git a/mayan/apps/common/views.py b/mayan/apps/common/views.py
index 8bdc694e66..ca5e47fd2c 100644
--- a/mayan/apps/common/views.py
+++ b/mayan/apps/common/views.py
@@ -16,7 +16,7 @@ from django.views.generic import RedirectView, TemplateView
 
 from mayan.apps.acls.models import AccessControlList
 from mayan.apps.common.mixins import (
-    ContentTypeViewMixin, ExternalObjectViewMixin
+    ContentTypeViewMixin, ExternalObjectMixin
 )
 
 from .exceptions import NotLatestVersion, UnknownLatestVersion
@@ -174,7 +174,7 @@ class ObjectErrorLogEntryListClearView(ConfirmView):
         )
 
 
-class ObjectErrorLogEntryListView(ContentTypeViewMixin, ExternalObjectViewMixin, SingleObjectListView):
+class ObjectErrorLogEntryListView(ContentTypeViewMixin, ExternalObjectMixin, SingleObjectListView):
     #TODO: Update for MERC 6. Return 404.
     """
     def dispatch(self, request, *args, **kwargs):