From 43d7cba264f7e12e2328b74cd4e05b20d9f11b33 Mon Sep 17 00:00:00 2001 From: Hugo Levy-Falk Date: Fri, 28 Aug 2020 22:00:43 +0100 Subject: [PATCH] Fix acl when viewing history of deleted object or all history. --- logs/views.py | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/logs/views.py b/logs/views.py index 0eef11d7..e67aefc3 100644 --- a/logs/views.py +++ b/logs/views.py @@ -98,7 +98,13 @@ from re2o.utils import ( all_active_interfaces_count, ) from re2o.base import re2o_paginator, SortTable -from re2o.acl import can_view_all, can_view_app, can_edit_history, can_view +from re2o.acl import ( + can_view_all, + can_view_app, + can_edit_history, + can_view, + acl_error_message, +) from .models import ( ActionsSearch, @@ -109,6 +115,8 @@ from .models import ( from .forms import ActionsSearchForm, MachineHistorySearchForm +from .acl import can_view as can_view_logs + @login_required @can_view_app("logs") @@ -536,12 +544,11 @@ def get_history_object(request, model, object_name, object_id): instance = None if instance is None: - # TODO : THIS IS A DECORATOR, YOU CANNOT USE IT LIKE THIS. AS IT, IT - # WILL ALLOW ANYONE TO SEE THE HISTORY OF A DELETED OBJECT. - authorized = can_view_app("logs") - msg = None + authorized, msg, permissions = can_view_logs(request.user) else: - authorized, msg, _permissions = instance.can_view(request.user) + authorized, msg, permissions = instance.can_view(request.user) + + msg = acl_error_message(msg, permissions) if not authorized: messages.error(