admin: fix permissions not being checked for policybinding list

This commit is contained in:
Jens Langhammer 2020-09-19 22:54:49 +02:00
parent 5fa3729702
commit f3ee8f7d9c

View file

@ -9,11 +9,12 @@ from django.urls import reverse_lazy
from django.utils.translation import gettext as _ from django.utils.translation import gettext as _
from django.views.generic import ListView, UpdateView from django.views.generic import ListView, UpdateView
from guardian.mixins import PermissionListMixin, PermissionRequiredMixin from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
from guardian.shortcuts import get_objects_for_user
from passbook.admin.views.utils import DeleteMessageView from passbook.admin.views.utils import DeleteMessageView
from passbook.lib.views import CreateAssignPermView from passbook.lib.views import CreateAssignPermView
from passbook.policies.forms import PolicyBindingForm from passbook.policies.forms import PolicyBindingForm
from passbook.policies.models import PolicyBinding, PolicyBindingModel from passbook.policies.models import PolicyBinding
class PolicyBindingListView(LoginRequiredMixin, PermissionListMixin, ListView): class PolicyBindingListView(LoginRequiredMixin, PermissionListMixin, ListView):
@ -29,13 +30,18 @@ class PolicyBindingListView(LoginRequiredMixin, PermissionListMixin, ListView):
# Since `select_subclasses` does not work with a foreign key, we have to do two queries here # Since `select_subclasses` does not work with a foreign key, we have to do two queries here
# First, get all pbm objects that have bindings attached # First, get all pbm objects that have bindings attached
objects = ( objects = (
PolicyBindingModel.objects.filter(policies__isnull=False) get_objects_for_user(
self.request.user, "passbook_policies.view_policybindingmodel"
)
.filter(policies__isnull=False)
.select_subclasses() .select_subclasses()
.select_related() .select_related()
.order_by("pk") .order_by("pk")
) )
for pbm in objects: for pbm in objects:
pbm.bindings = PolicyBinding.objects.filter(target__pk=pbm.pbm_uuid) pbm.bindings = get_objects_for_user(
self.request.user, self.permission_required
).filter(target__pk=pbm.pbm_uuid)
return objects return objects