mirror of
https://github.com/inventree/InvenTree.git
synced 2025-10-31 05:05:42 +00:00
Enhancement for metadata OPTIONS checks (#10693)
* Enhancement for metadata OPTIONS checks - Handle case where custom `role_required` attribute is set - Allows integration for plugin views not associated with an internal model * Cleanup logic
This commit is contained in:
Oliver
GitHub
@@ -15,7 +15,7 @@ import common.models
|
||||
import InvenTree.permissions
|
||||
from InvenTree.helpers import str2bool
|
||||
from InvenTree.serializers import DependentField
|
||||
from users.permissions import check_user_permission
|
||||
from users.permissions import check_user_permission, check_user_role
|
||||
|
||||
logger = structlog.get_logger('inventree')
|
||||
|
||||
@@ -122,18 +122,24 @@ class InvenTreeMetadata(SimpleMetadata):
|
||||
if hasattr(view, 'rolemap'):
|
||||
rolemap.update(view.rolemap)
|
||||
|
||||
# The view may define a custom role requirement
|
||||
role_required = getattr(view, 'role_required', None)
|
||||
|
||||
# Remove any HTTP methods that the user does not have permission for
|
||||
for method, permission in rolemap.items():
|
||||
result = check_user_permission(user, self.model, permission)
|
||||
result = check_user_permission(user, self.model, permission) or (
|
||||
role_required and check_user_role(user, role_required, permission)
|
||||
)
|
||||
|
||||
if method in actions and not result:
|
||||
del actions[method]
|
||||
|
||||
# Add a 'DELETE' action if we are allowed to delete
|
||||
if 'DELETE' in view.allowed_methods and check_user_permission(
|
||||
user, self.model, 'delete'
|
||||
):
|
||||
actions['DELETE'] = {}
|
||||
if 'DELETE' in view.allowed_methods:
|
||||
if check_user_permission(user, self.model, 'delete') or (
|
||||
role_required and check_user_role(user, role_required, 'delete')
|
||||
):
|
||||
actions['DELETE'] = {}
|
||||
|
||||
metadata['actions'] = actions
|
||||
|
||||
|
||||
Reference in New Issue
Block a user