Merge pull request #1010 from SchrodingersGat/admin-permission-fixes

Update admin links to require specific permissions
2025-06-28 09:40:43 +00:00 · 2020-10-01 00:37:43 +10:00
parent 400f183597 626d0266c8
commit 4f648f8787
11 changed files with 73 additions and 27 deletions
--- a/InvenTree/InvenTree/static/script/inventree/modals.js
+++ b/InvenTree/InvenTree/static/script/inventree/modals.js
@ -807,7 +807,19 @@ function launchModalForm(url, options = {}) {
            }
        },
        error: function (xhr, ajaxOptions, thrownError) {
            $(modal).modal('hide');
            // Permission denied!
            if (xhr.status == 403) {
                showAlertDialog(
                    "Permission Denied",
                    "You do not have the required permissions to access this function"
                );
                return;
            }
            showAlertDialog('Error requesting form data', renderErrorMessage(xhr));
        }
    };
--- a/InvenTree/InvenTree/views.py
+++ b/InvenTree/InvenTree/views.py
@ -13,6 +13,8 @@ from django.template.loader import render_to_string
 from django.http import JsonResponse, HttpResponseRedirect
 from django.urls import reverse_lazy
 from django.contrib.auth.mixins import PermissionRequiredMixin
 from django.views import View
 from django.views.generic import UpdateView, CreateView, FormView
 from django.views.generic.base import TemplateView
@ -105,12 +107,32 @@ class TreeSerializer(views.APIView):
        return JsonResponse(response, safe=False)
-class AjaxMixin(object):
+class AjaxMixin(PermissionRequiredMixin):
    """ AjaxMixin provides basic functionality for rendering a Django form to JSON.
    Handles jsonResponse rendering, and adds extra data for the modal forms to process
    on the client side.
    Any view which inherits the AjaxMixin will need
    correct permissions set using the 'permission_required' attribute
    """
    # By default, allow *any* permissions
    permission_required = '*'
    def has_permission(self):
        """
        Override the default behaviour of has_permission from PermissionRequiredMixin.
        Basically, if permission_required attribute = '*',
        no permissions are actually required!
        """
        if self.permission_required == '*':
            return True
        else:
            return super().has_permission()
    # By default, point to the modal_form template
    # (this can be overridden by a child class)
    ajax_template_name = 'modal_form.html'
--- a/InvenTree/build/templates/build/build_base.html
+++ b/InvenTree/build/templates/build/build_base.html
@ -35,7 +35,7 @@ src="{% static 'img/blank_image.png' %}"
 <hr>
 <h4>
    {{ build.quantity }} x {{ build.part.full_name }}
-    {% if user.is_staff %}
+    {% if user.is_staff and perms.build.change_build %}
    <a  href="{% url 'admin:build_build_change' build.pk %}"><span title="{% trans 'Admin view' %}" class='fas fa-user-shield'></span></a>
 {% endif %}
 </h4>
--- a/InvenTree/company/templates/company/company_base.html
+++ b/InvenTree/company/templates/company/company_base.html
@ -23,7 +23,7 @@ InvenTree | {% trans "Company" %} - {{ company.name }}
 <hr>
 <h4>
    {{ company.name }}
-    {% if user.is_staff %}
+    {% if user.is_staff and perms.company.change_company %}
    <a  href="{% url 'admin:company_company_change' company.pk %}"><span title="{% trans 'Admin view' %}" class='fas fa-user-shield'></span></a>
    {% endif %}
 </h4>
--- a/InvenTree/order/templates/order/order_base.html
+++ b/InvenTree/order/templates/order/order_base.html
@ -22,7 +22,12 @@ src="{% static 'img/blank_image.png' %}"
 {% block page_data %}
 <h3>{% trans "Purchase Order" %} {% purchase_order_status_label order.status large=True %}</h3>
 <hr>
-<h4>{{ order }}</h4>
+<h4>
    {{ order }}
    {% if user.is_staff and perms.order.change_purchaseorder %}
    <a href="{% url 'admin:order_purchaseorder_change' order.pk %}"><span title='{% trans "Admin view" %}' class='fas fa-user-shield'></span></a>
    {% endif %}
 </h4>
 <p>{{ order.description }}</p>
 <p>
    <div class='btn-row'>
--- a/InvenTree/order/templates/order/sales_order_base.html
+++ b/InvenTree/order/templates/order/sales_order_base.html
@ -32,7 +32,12 @@ src="{% static 'img/blank_image.png' %}"
 <h3>{% trans "Sales Order" %} {% sales_order_status_label order.status large=True %}</h3>
 <hr>
-<h4>{{ order }}</h4>
+<h4>
    {{ order }}
    {% if user.is_staff and perms.order.change_salesorder %}
    <a href="{% url 'admin:order_salesorder_change' order.pk %}"><span title='{% trans "Admin view" %}' class='fas fa-user-shield'></span></a>
    {% endif %}
 </h4>
 <p>{{ order.description }}</p>
 <div class='btn-row'>
    <div class='btn-group action-buttons'>
--- a/InvenTree/part/templates/part/category.html
+++ b/InvenTree/part/templates/part/category.html
@ -9,7 +9,7 @@
        {% if category %}
        <h3>
            {{ category.name }}
-            {% if user.is_staff %}
+            {% if user.is_staff and perms.part.change_partcategory %}
            <a href="{% url 'admin:part_partcategory_change' category.pk %}"><span title="{% trans 'Admin view' %}" class='fas fa-user-shield'></span></a>
            {% endif %}
        </h3>
@ -114,10 +114,10 @@
                </ul>
            </div>
        </div>
    </div>
    <div class='filter-list' id='filter-list-parts'>
        <!-- Empty div -->
    </div>
    </div>
 </div>
 <table class='table table-striped table-condensed' data-toolbar='#button-toolbar' id='part-table'>
--- a/InvenTree/part/templates/part/part_base.html
+++ b/InvenTree/part/templates/part/part_base.html
@ -28,7 +28,7 @@
    <div class="media-body">
        <h3>
            {{ part.full_name }}
-            {% if user.is_staff %}
+            {% if user.is_staff and perms.part.change_part %}
            <a  href="{% url 'admin:part_part_change' part.pk %}"><span title="{% trans 'Admin view' %}" class='fas fa-user-shield'></span></a>
            {% endif %}
            {% if not part.active %}
--- a/InvenTree/stock/templates/stock/item_base.html
+++ b/InvenTree/stock/templates/stock/item_base.html
@ -65,7 +65,7 @@ InvenTree | {% trans "Stock Item" %} - {{ item }}
 {% else %}
    <a href='{% url "part-detail" item.part.pk %}'>{{ item.part.full_name }}</a> &times {% decimal item.quantity %}
 {% endif %}
-{% if user.is_staff %}
+{% if user.is_staff and perms.stock.change_stockitem %}
    <a  href="{% url 'admin:stock_stockitem_change' item.pk %}"><span title="{% trans 'Admin view' %}" class='fas fa-user-shield'></span></a>
 {% endif %}
 </h4>
--- a/InvenTree/stock/templates/stock/location.html
+++ b/InvenTree/stock/templates/stock/location.html
@ -8,7 +8,7 @@
    {% if location %}
    <h3>
        {{ location.name }}
-        {% if user.is_staff %}
+        {% if user.is_staff and perms.stock.change_stocklocation %}
        <a  href="{% url 'admin:stock_stocklocation_change' location.pk %}"><span title="{% trans 'Admin view' %}" class='fas fa-user-shield'></span></a>
        {% endif %}
    </h3>
--- a/InvenTree/templates/stock_table.html
+++ b/InvenTree/templates/stock_table.html
@ -2,6 +2,7 @@
 <div id='button-toolbar'>
    <div class='button-toolbar container-fluid' style='float: right;'>
        <div class='btn-group'>
            <button class='btn btn-default' id='stock-export' title='{% trans "Export Stock Information" %}'>{% trans "Export" %}</button>
            {% if read_only %}
            {% else %}
@ -18,6 +19,7 @@
                </ul>
            </div>
            {% endif %}
        </div>
        <div class='filter-list' id='filter-list-stock'>
            <!-- An empty div in which the filter list will be constructed -->
        </div>