[admin-theme] menu doesn't respect assigned permissions #103 #123
Conversation
| label = item.get('label', model_class._meta.verbose_name_plural) | ||
| model_admin = site._registry[model_class] | ||
| if not request or model_admin.has_module_permission(request): | ||
| if not request or (permitted_models and model.lower() in permitted_models): |
There was a problem hiding this comment.
this is fragile, there could be two models using the same name but in different apps.
This would be better and more elegant:
request.user.has_perm(item['model'])
But it generates one query for every request, I think we can do the following: openwisp/openwisp-users#153 (review)
NoumbissiValere
force-pushed
the
issue-103-menu-not-respect-permissions
branch
from
971e935 to
e85f820
Compare
NoumbissiValere
force-pushed
the
issue-103-menu-not-respect-permissions
branch
3 times, most recently
from
ce09cfb to
9c294a8
Compare
|
@NoumbissiValere What about #104? |
nemesifier
left a comment
nemesifier
left a comment
There was a problem hiding this comment.
I forgot to send this review
| self.assertContains(response, 'class="shelf"') | ||
|
|
||
| def test_can_see_unpermitted_projects(self): | ||
| Permission.objects.filter(codename__endswith='shelf').delete() |
There was a problem hiding this comment.
superuser must always be allowed, this test is wrong. Keep the superuser test but change it to expect the menu item is shown.
Add another test for a non superuser which does not have the permission.
Use good names please.
test_superuser_always_sees_menu_items
test_operator_cant_see_menu_item
or similar but self explanatory
There was a problem hiding this comment.
Ok. Even though i thought we are focusing on the fact that if a user have a permission on a module he should see its menu item, otherwise he doesn't see it irrespective of who he is.
| continue | ||
| if not request or has_permission: | ||
| menu.append({'url': url, 'label': label, 'class': model.lower()}) | ||
| return menu |
There was a problem hiding this comment.
too complex. BTW, it breaks the UI for superusers.
I tried this which seems to work:
def build_menu(request):
default_items = getattr(settings, 'OPENWISP_DEFAULT_ADMIN_MENU_ITEMS', [])
custom_items = getattr(settings, 'OPENWISP_ADMIN_MENU_ITEMS', [])
items = custom_items or default_items
menu = []
# loop over each item to build the menu
# and check user has permission to see each item
for item in items:
app_label, model = item['model'].split('.')
model_class = registry.apps.get_model(app_label, model)
model_label = model.lower()
url = reverse('admin:{}_{}_changelist'.format(app_label, model_label))
label = item.get('label', model_class._meta.verbose_name_plural)
view_perm = f'{app_label}.view_{model_label}'
change_perm = f'{app_label}.change_{model_label}'
user = request.user
# use cached helper from openwisp-users if available
has_permission_method = user.has_permission if hasattr(user, 'has_permission') else user.has_perm
if has_permission_method(view_perm) or has_permission_method(change_perm):
menu.append({'url': url, 'label': label, 'class': model_label})
return menuNotice that I made the request param mandatory, I don't remember why I made it optional, maybe to ease testing, but better remove that.
Fixed issue by making sure users can access just the models they are permitted to access. Fixes #103
NoumbissiValere
force-pushed
the
issue-103-menu-not-respect-permissions
branch
from
9c294a8 to
43bb49e
Compare
…penwisp#123 - Added package type detection for npm, docker, ansible, and openwrt-agents - Enhanced version parsing for all package types - Updated bump_version() to handle all package type version formats - Added 25 new tests for non-Python packages Fixes openwisp#522
4 participants
Fixed issue by making sure users can access just the models
they are permitted to access.
Fixes #103
Closes #104