inventree/InvenTree
2
0
Fork 0
mirror of https://github.com/inventree/InvenTree.git synced 2025-10-29 20:30:39 +00:00
Code Activity

Enhancement for metadata OPTIONS checks (#10693)

Browse Source 
* Enhancement for metadata OPTIONS checks

- Handle case where custom `role_required` attribute is set
- Allows integration for plugin views not associated with an internal model

* Cleanup logic
This commit is contained in:
Oliver
2025-10-28 11:23:24 +11:00
committed by GitHub
parent ceb055d61a
commit 548f05e61c
1 changed files with 12 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
src/backend/InvenTree/InvenTree/metadata.py
View File

@@ -15,7 +15,7 @@ import common.models
import InvenTree.permissions import InvenTree.permissions
from InvenTree.helpers import str2bool from InvenTree.helpers import str2bool
from InvenTree.serializers import DependentField from InvenTree.serializers import DependentField
from users.permissions import check_user_permission from users.permissions import check_user_permission, check_user_role
logger = structlog.get_logger('inventree') logger = structlog.get_logger('inventree')
@@ -122,18 +122,24 @@ class InvenTreeMetadata(SimpleMetadata):
if hasattr(view, 'rolemap'): if hasattr(view, 'rolemap'):
rolemap.update(view.rolemap) rolemap.update(view.rolemap)
# The view may define a custom role requirement
role_required = getattr(view, 'role_required', None)
# Remove any HTTP methods that the user does not have permission for # Remove any HTTP methods that the user does not have permission for
for method, permission in rolemap.items(): for method, permission in rolemap.items():
result = check_user_permission(user, self.model, permission) result = check_user_permission(user, self.model, permission) or (
role_required and check_user_role(user, role_required, permission)
)
if method in actions and not result: if method in actions and not result:
del actions[method] del actions[method]
# Add a 'DELETE' action if we are allowed to delete # Add a 'DELETE' action if we are allowed to delete
if 'DELETE' in view.allowed_methods and check_user_permission( if 'DELETE' in view.allowed_methods:
user, self.model, 'delete' if check_user_permission(user, self.model, 'delete') or (
): role_required and check_user_role(user, role_required, 'delete')
actions['DELETE'] = {} ):
actions['DELETE'] = {}
metadata['actions'] = actions metadata['actions'] = actions