Merge pull request #1010 from SchrodingersGat/admin-permission-fixes

Update admin links to require specific permissions

InvenTree/InvenTree/static/script/inventree/modals.js

@@ -807,7 +807,19 @@ function launchModalForm(url, options = {}) {
             }
         },
         error: function (xhr, ajaxOptions, thrownError) {
+
             $(modal).modal('hide');
+
+            // Permission denied!
+            if (xhr.status == 403) {
+                showAlertDialog(
+                    "Permission Denied",
+                    "You do not have the required permissions to access this function"
+                );
+
+                return;
+            }
+
             showAlertDialog('Error requesting form data', renderErrorMessage(xhr));
         }
     };

InvenTree/InvenTree/views.py

@@ -13,6 +13,8 @@ from django.template.loader import render_to_string
 from django.http import JsonResponse, HttpResponseRedirect
 from django.urls import reverse_lazy
 
+from django.contrib.auth.mixins import PermissionRequiredMixin
+
 from django.views import View
 from django.views.generic import UpdateView, CreateView, FormView
 from django.views.generic.base import TemplateView
@@ -105,12 +107,32 @@ class TreeSerializer(views.APIView):
         return JsonResponse(response, safe=False)
 
 
-class AjaxMixin(object):
+class AjaxMixin(PermissionRequiredMixin):
     """ AjaxMixin provides basic functionality for rendering a Django form to JSON.
     Handles jsonResponse rendering, and adds extra data for the modal forms to process
     on the client side.
+
+    Any view which inherits the AjaxMixin will need
+    correct permissions set using the 'permission_required' attribute
+
     """
 
+    # By default, allow *any* permissions
+    permission_required = '*'
+
+    def has_permission(self):
+        """
+        Override the default behaviour of has_permission from PermissionRequiredMixin.
+
+        Basically, if permission_required attribute = '*',
+        no permissions are actually required!
+        """
+
+        if self.permission_required == '*':
+            return True
+        else:
+            return super().has_permission()
+
     # By default, point to the modal_form template
     # (this can be overridden by a child class)
     ajax_template_name = 'modal_form.html'

InvenTree/build/templates/build/build_base.html

@@ -35,7 +35,7 @@ src="{% static 'img/blank_image.png' %}"
 <hr>
 <h4>
     {{ build.quantity }} x {{ build.part.full_name }}
-    {% if user.is_staff %}
+    {% if user.is_staff and perms.build.change_build %}
     <a  href="{% url 'admin:build_build_change' build.pk %}"><span title="{% trans 'Admin view' %}" class='fas fa-user-shield'></span></a>
 {% endif %}
 </h4>

InvenTree/company/templates/company/company_base.html

@@ -23,7 +23,7 @@ InvenTree | {% trans "Company" %} - {{ company.name }}
 <hr>
 <h4>
     {{ company.name }}
-    {% if user.is_staff %}
+    {% if user.is_staff and perms.company.change_company %}
     <a  href="{% url 'admin:company_company_change' company.pk %}"><span title="{% trans 'Admin view' %}" class='fas fa-user-shield'></span></a>
     {% endif %}
 </h4>

InvenTree/order/templates/order/order_base.html

@@ -22,7 +22,12 @@ src="{% static 'img/blank_image.png' %}"
 {% block page_data %}
 <h3>{% trans "Purchase Order" %} {% purchase_order_status_label order.status large=True %}</h3>
 <hr>
-<h4>{{ order }}</h4>
+<h4>
+    {{ order }}
+    {% if user.is_staff and perms.order.change_purchaseorder %}
+    <a href="{% url 'admin:order_purchaseorder_change' order.pk %}"><span title='{% trans "Admin view" %}' class='fas fa-user-shield'></span></a>
+    {% endif %}
+</h4>
 <p>{{ order.description }}</p>
 <p>
     <div class='btn-row'>

InvenTree/order/templates/order/sales_order_base.html

@@ -32,7 +32,12 @@ src="{% static 'img/blank_image.png' %}"
 
 <h3>{% trans "Sales Order" %} {% sales_order_status_label order.status large=True %}</h3>
 <hr>
-<h4>{{ order }}</h4>
+<h4>
+    {{ order }}
+    {% if user.is_staff and perms.order.change_salesorder %}
+    <a href="{% url 'admin:order_salesorder_change' order.pk %}"><span title='{% trans "Admin view" %}' class='fas fa-user-shield'></span></a>
+    {% endif %}
+</h4>
 <p>{{ order.description }}</p>
 <div class='btn-row'>
     <div class='btn-group action-buttons'>

InvenTree/part/templates/part/category.html

@@ -9,7 +9,7 @@
         {% if category %}
         <h3>
             {{ category.name }}
-            {% if user.is_staff %}
+            {% if user.is_staff and perms.part.change_partcategory %}
             <a href="{% url 'admin:part_partcategory_change' category.pk %}"><span title="{% trans 'Admin view' %}" class='fas fa-user-shield'></span></a>
             {% endif %}
         </h3>
@@ -114,9 +114,9 @@
                 </ul>
             </div>
         </div>
-        <div class='filter-list' id='filter-list-parts'>
-            <!-- Empty div -->
-        </div>
+    </div>
+    <div class='filter-list' id='filter-list-parts'>
+        <!-- Empty div -->
     </div>
 </div>
 

InvenTree/part/templates/part/part_base.html

@@ -28,7 +28,7 @@
     <div class="media-body">
         <h3>
             {{ part.full_name }}
-            {% if user.is_staff %}
+            {% if user.is_staff and perms.part.change_part %}
             <a  href="{% url 'admin:part_part_change' part.pk %}"><span title="{% trans 'Admin view' %}" class='fas fa-user-shield'></span></a>
             {% endif %}
             {% if not part.active %}

InvenTree/stock/templates/stock/item_base.html

@@ -65,7 +65,7 @@ InvenTree | {% trans "Stock Item" %} - {{ item }}
 {% else %}
     <a href='{% url "part-detail" item.part.pk %}'>{{ item.part.full_name }}</a> &times {% decimal item.quantity %}
 {% endif %}
-{% if user.is_staff %}
+{% if user.is_staff and perms.stock.change_stockitem %}
     <a  href="{% url 'admin:stock_stockitem_change' item.pk %}"><span title="{% trans 'Admin view' %}" class='fas fa-user-shield'></span></a>
 {% endif %}
 </h4>

InvenTree/stock/templates/stock/location.html

@@ -8,7 +8,7 @@
     {% if location %}
     <h3>
         {{ location.name }}
-        {% if user.is_staff %}
+        {% if user.is_staff and perms.stock.change_stocklocation %}
         <a  href="{% url 'admin:stock_stocklocation_change' location.pk %}"><span title="{% trans 'Admin view' %}" class='fas fa-user-shield'></span></a>
         {% endif %}
     </h3>

InvenTree/templates/stock_table.html

@@ -2,22 +2,24 @@
 
 <div id='button-toolbar'>
     <div class='button-toolbar container-fluid' style='float: right;'>
-        <button class='btn btn-default' id='stock-export' title='{% trans "Export Stock Information" %}'>{% trans "Export" %}</button>
-        {% if read_only %}
-        {% else %}
-        <button class="btn btn-success" id='item-create'>{% trans "New Stock Item" %}</button>
-        <div class="btn-group">
-            <button id='stock-options' class="btn btn-primary dropdown-toggle" type="button" data-toggle="dropdown">{% trans "Options" %}<span class="caret"></span></button>
-            <ul class="dropdown-menu">
-                <li><a href="#" id='multi-item-add' title='{% trans "Add to selected stock items" %}'>{% trans "Add stock" %}</a></li>
-                <li><a href="#" id='multi-item-remove' title='{% trans "Remove from selected stock items" %}'>{% trans "Remove stock" %}</a></li>
-                <li><a href="#" id='multi-item-stocktake' title='{% trans "Stocktake selected stock items" %}'>{% trans "Count stock" %}</a></li>
-                <li><a href='#' id='multi-item-move' title='{% trans "Move selected stock items" %}'>{% trans "Move stock" %}</a></li>
-                <li><a href='#' id='multi-item-order' title='{% trans "Order selected items" %}'>{% trans "Order stock" %}</a></li>
-                <li><a href='#' id='multi-item-delete' title='{% trans "Delete selected items" %}'>{% trans "Delete Stock" %}</a></li>
-            </ul>
+        <div class='btn-group'>
+            <button class='btn btn-default' id='stock-export' title='{% trans "Export Stock Information" %}'>{% trans "Export" %}</button>
+            {% if read_only %}
+            {% else %}
+            <button class="btn btn-success" id='item-create'>{% trans "New Stock Item" %}</button>
+            <div class="btn-group">
+                <button id='stock-options' class="btn btn-primary dropdown-toggle" type="button" data-toggle="dropdown">{% trans "Options" %}<span class="caret"></span></button>
+                <ul class="dropdown-menu">
+                    <li><a href="#" id='multi-item-add' title='{% trans "Add to selected stock items" %}'>{% trans "Add stock" %}</a></li>
+                    <li><a href="#" id='multi-item-remove' title='{% trans "Remove from selected stock items" %}'>{% trans "Remove stock" %}</a></li>
+                    <li><a href="#" id='multi-item-stocktake' title='{% trans "Stocktake selected stock items" %}'>{% trans "Count stock" %}</a></li>
+                    <li><a href='#' id='multi-item-move' title='{% trans "Move selected stock items" %}'>{% trans "Move stock" %}</a></li>
+                    <li><a href='#' id='multi-item-order' title='{% trans "Order selected items" %}'>{% trans "Order stock" %}</a></li>
+                    <li><a href='#' id='multi-item-delete' title='{% trans "Delete selected items" %}'>{% trans "Delete Stock" %}</a></li>
+                </ul>
+            </div>
+            {% endif %}
         </div>
-        {% endif %}
         <div class='filter-list' id='filter-list-stock'>
             <!-- An empty div in which the filter list will be constructed -->
         </div>