Add cascade permission checks for links. Avoid allowing users to reach a empty views because they don't access to any of the view's objects. Apply link permission cascade checks to the message of the day, indexing and parsing, setup link.

Signed-off-by: Roberto Rosario <roberto.rosario.gonzalez@gmail.com>
2018-08-22 00:14:21 -04:00
parent 8e39016f12
commit bf3723ae24
6 changed files with 71 additions and 7 deletions
--- a/mayan/apps/navigation/utils.py
+++ b/mayan/apps/navigation/utils.py
@@ -0,0 +1,41 @@
+from __future__ import absolute_import, unicode_literals
+
+from django.apps import apps
+from django.core.exceptions import PermissionDenied
+from django.utils.translation import ugettext_lazy as _
+
+from permissions import Permission
+
+
+def get_cascade_condition(app_label, model_name, object_permission, view_permission=None):
+    """
+    Return a function that first checks to see if the user has the view
+    permission. If not, then filters the objects with the object permission
+    and return True if there is at least one item in the filtered queryset.
+    This is used to avoid showing a link that ends up in a view with an
+    empty results set.
+    """
+    def condition(context):
+        AccessControlList = apps.get_model(
+            app_label='acls', model_name='AccessControlList'
+        )
+        Model = apps.get_model(app_label=app_label, model_name=model_name)
+
+        if view_permission:
+            try:
+                Permission.check_permissions(
+                    requester=context.request.user,
+                    permissions=(view_permission,)
+                )
+            except PermissionDenied:
+                pass
+            else:
+                return True
+
+        queryset = AccessControlList.objects.filter_by_access(
+            permission=object_permission, user=context.request.user,
+            queryset=Model.objects.all()
+        )
+        return queryset.count() > 0
+
+    return condition