From 775894ee0d08fe3aaa53725300be2b8d9f46516a Mon Sep 17 00:00:00 2001 From: Michael Price Date: Fri, 2 Mar 2018 18:00:48 -0400 Subject: [PATCH] Improve permission having in the workflow app views. Most were made more granular and operate now on an object access basis instead of working per view permission. Signed-off-by: Michael Price --- mayan/apps/document_states/views.py | 138 +++++++++++++++++----------- 1 file changed, 84 insertions(+), 54 deletions(-) diff --git a/mayan/apps/document_states/views.py b/mayan/apps/document_states/views.py index 88da580ea3..ee2f305598 100644 --- a/mayan/apps/document_states/views.py +++ b/mayan/apps/document_states/views.py @@ -142,33 +142,33 @@ class SetupWorkflowListView(SingleObjectListView): 'hide_object': True, } model = Workflow - view_permission = permission_workflow_view + object_permission = permission_workflow_view class SetupWorkflowCreateView(SingleObjectCreateView): form_class = WorkflowForm model = Workflow - view_permission = permission_workflow_create post_action_redirect = reverse_lazy('document_states:setup_workflow_list') + view_permission = permission_workflow_create class SetupWorkflowEditView(SingleObjectEditView): form_class = WorkflowForm model = Workflow - view_permission = permission_workflow_edit + object_permission = permission_workflow_edit post_action_redirect = reverse_lazy('document_states:setup_workflow_list') class SetupWorkflowDeleteView(SingleObjectDeleteView): model = Workflow - view_permission = permission_workflow_delete + object_permission = permission_workflow_delete post_action_redirect = reverse_lazy('document_states:setup_workflow_list') class SetupWorkflowDocumentTypesView(AssignRemoveView): decode_content_type = True - object_permission = permission_workflow_edit left_list_title = _('Available document types') + object_permission = permission_workflow_edit right_list_title = _('Document types assigned this workflow') def add(self, item): @@ -203,29 +203,7 @@ class SetupWorkflowDocumentTypesView(AssignRemoveView): # item -class SetupWorkflowStateListView(SingleObjectListView): - def dispatch(self, request, *args, **kwargs): - AccessControlList.objects.check_access( - permissions=permission_workflow_view, user=request.user, - obj=self.get_workflow() - ) - - return super( - SetupWorkflowStateListView, self - ).dispatch(request, *args, **kwargs) - - def get_extra_context(self): - return { - 'hide_link': True, - 'object': self.get_workflow(), - 'title': _('States of workflow: %s') % self.get_workflow() - } - - def get_object_list(self): - return self.get_workflow().states.all() - - def get_workflow(self): - return get_object_or_404(Workflow, pk=self.kwargs['pk']) +# Workflow state actions class SetupWorkflowStateActionCreateView(SingleObjectDynamicFormCreateView): @@ -387,9 +365,11 @@ class SetupWorkflowStateActionSelectionView(FormView): return get_object_or_404(WorkflowState, pk=self.kwargs['pk']) +# Workflow states + + class SetupWorkflowStateCreateView(SingleObjectCreateView): form_class = WorkflowStateForm - view_permission = permission_workflow_edit def get_extra_context(self): return { @@ -399,17 +379,22 @@ class SetupWorkflowStateCreateView(SingleObjectCreateView): ) % self.get_workflow() } - def get_workflow(self): - return get_object_or_404(Workflow, pk=self.kwargs['pk']) - def get_object_list(self): return self.get_workflow().states.all() def get_success_url(self): return reverse( - 'document_states:setup_workflow_states', args=(self.kwargs['pk'],) + 'document_states:setup_workflow_state_list', args=(self.kwargs['pk'],) ) + def get_workflow(self): + workflow = get_object_or_404(Workflow, pk=self.kwargs['pk']) + AccessControlList.objects.check_access( + permissions=(permission_workflow_edit,), obj=workflow, + user=self.request.user + ) + return workflow + def form_valid(self, form): self.object = form.save(commit=False) self.object.workflow = self.get_workflow() @@ -419,7 +404,7 @@ class SetupWorkflowStateCreateView(SingleObjectCreateView): class SetupWorkflowStateDeleteView(SingleObjectDeleteView): model = WorkflowState - view_permission = permission_workflow_edit + object_permission = permission_workflow_edit def get_extra_context(self): return { @@ -428,17 +413,28 @@ class SetupWorkflowStateDeleteView(SingleObjectDeleteView): 'workflow_instance': self.get_object().workflow, } + def get_object_list(self): + return self.get_workflow().states.all() + def get_success_url(self): return reverse( - 'document_states:setup_workflow_states', + 'document_states:setup_workflow_state_list', args=(self.get_object().workflow.pk,) ) + def get_workflow(self): + workflow = get_object_or_404(Workflow, pk=self.kwargs['pk']) + AccessControlList.objects.check_access( + permissions=(permission_workflow_edit,), obj=workflow, + user=self.request.user + ) + return workflow + class SetupWorkflowStateEditView(SingleObjectEditView): form_class = WorkflowStateForm model = WorkflowState - view_permission = permission_workflow_edit + object_permission = permission_workflow_edit def get_extra_context(self): return { @@ -449,36 +445,43 @@ class SetupWorkflowStateEditView(SingleObjectEditView): def get_success_url(self): return reverse( - 'document_states:setup_workflow_states', + 'document_states:setup_workflow_state_list', args=(self.get_object().workflow.pk,) ) -# Transitions +class SetupWorkflowStateListView(SingleObjectListView): + object_permission = permission_workflow_view + def dispatch(self, request, *args, **kwargs): + AccessControlList.objects.check_access( + permissions=permission_workflow_view, user=request.user, + obj=self.get_workflow() + ) -class SetupWorkflowTransitionListView(SingleObjectListView): - view_permission = permission_workflow_view + return super( + SetupWorkflowStateListView, self + ).dispatch(request, *args, **kwargs) def get_extra_context(self): return { 'hide_link': True, 'object': self.get_workflow(), - 'title': _( - 'Transitions of workflow: %s' - ) % self.get_workflow() + 'title': _('States of workflow: %s') % self.get_workflow() } def get_object_list(self): - return self.get_workflow().transitions.all() + return self.get_workflow().states.all() def get_workflow(self): return get_object_or_404(Workflow, pk=self.kwargs['pk']) +# Transitions + + class SetupWorkflowTransitionCreateView(SingleObjectCreateView): form_class = WorkflowTransitionForm - view_permission = permission_workflow_edit def form_valid(self, form): self.object = form.save(commit=False) @@ -515,17 +518,22 @@ class SetupWorkflowTransitionCreateView(SingleObjectCreateView): def get_success_url(self): return reverse( - 'document_states:setup_workflow_transitions', + 'document_states:setup_workflow_transition_list', args=(self.kwargs['pk'],) ) def get_workflow(self): - return get_object_or_404(Workflow, pk=self.kwargs['pk']) + workflow = get_object_or_404(Workflow, pk=self.kwargs['pk']) + AccessControlList.objects.check_access( + permissions=(permission_workflow_edit,), obj=workflow, + user=self.request.user + ) + return workflow class SetupWorkflowTransitionDeleteView(SingleObjectDeleteView): model = WorkflowTransition - view_permission = permission_workflow_edit + object_permission = permission_workflow_edit def get_extra_context(self): return { @@ -536,7 +544,7 @@ class SetupWorkflowTransitionDeleteView(SingleObjectDeleteView): def get_success_url(self): return reverse( - 'document_states:setup_workflow_transitions', + 'document_states:setup_workflow_transition_list', args=(self.get_object().workflow.pk,) ) @@ -544,7 +552,7 @@ class SetupWorkflowTransitionDeleteView(SingleObjectDeleteView): class SetupWorkflowTransitionEditView(SingleObjectEditView): form_class = WorkflowTransitionForm model = WorkflowTransition - view_permission = permission_workflow_edit + object_permission = permission_workflow_edit def get_extra_context(self): return { @@ -562,13 +570,35 @@ class SetupWorkflowTransitionEditView(SingleObjectEditView): def get_success_url(self): return reverse( - 'document_states:setup_workflow_transitions', + 'document_states:setup_workflow_transition_list', args=(self.get_object().workflow.pk,) ) +class SetupWorkflowTransitionListView(SingleObjectListView): + object_permission = permission_workflow_view + + def get_extra_context(self): + return { + 'hide_link': True, + 'object': self.get_workflow(), + 'title': _( + 'Transitions of workflow: %s' + ) % self.get_workflow() + } + + def get_object_list(self): + return self.get_workflow().transitions.all() + + def get_workflow(self): + return get_object_or_404(Workflow, pk=self.kwargs['pk']) + + +# Other + + class WorkflowListView(SingleObjectListView): - view_permission = permission_workflow_view + object_permission = permission_workflow_view def get_extra_context(self): return { @@ -735,7 +765,7 @@ class SetupWorkflowTransitionTriggerEventListView(FormView): initial = [] # Return the queryset by name from the sorted list of the class - event_type_ids = [event_type.id for event_type in Event.all()] + event_type_ids = [event_type.id for event_type in EventType.all()] event_type_queryset = StoredEventType.objects.filter( name__in=event_type_ids ) @@ -749,7 +779,7 @@ class SetupWorkflowTransitionTriggerEventListView(FormView): def get_post_action_redirect(self): return reverse( - 'document_states:setup_workflow_transitions', + 'document_states:setup_workflow_transition_list', args=(self.get_object().workflow.pk,) )