misc: check access rights using is_superuser, not is_staff (#59186)
This commit is contained in:
parent
d87a189500
commit
4176ba8b30
|
@ -356,7 +356,7 @@ class Page(models.Model):
|
|||
return False
|
||||
|
||||
def is_editable(self, user):
|
||||
if user.is_staff:
|
||||
if user.is_superuser:
|
||||
return True
|
||||
group_ids = [x.id for x in user.groups.all()]
|
||||
if self.edit_role_id in group_ids:
|
||||
|
@ -438,7 +438,7 @@ class Page(models.Model):
|
|||
pages_hierarchy.append(page_hierarchy)
|
||||
|
||||
group_ids = None # None = do not pay attention to groups
|
||||
if follow_user_perms and not follow_user_perms.is_staff:
|
||||
if follow_user_perms and not follow_user_perms.is_superuser:
|
||||
group_ids = [x.id for x in follow_user_perms.groups.all()]
|
||||
|
||||
pages_hierarchy.sort()
|
||||
|
|
|
@ -4,13 +4,13 @@
|
|||
{% block appbar %}
|
||||
<h2>{% trans 'Pages' %}</h2>
|
||||
<span class="actions">
|
||||
{% if user.is_staff %}
|
||||
{% if user.is_superuser %}
|
||||
<a class="extra-actions-menu-opener"></a>
|
||||
{% endif %}
|
||||
{% if can_add_page %}
|
||||
<a rel="popup" href="{% url 'combo-manager-page-add' %}">{% trans 'New' %}</a>
|
||||
{% endif %}
|
||||
{% if user.is_staff %}
|
||||
{% if user.is_superuser %}
|
||||
<ul class="extra-actions-menu">
|
||||
<li><a href="{% url 'combo-manager-site-export' %}" rel="popup" data-autoclose-dialog="true">{% trans 'Export Site' %}</a></li>
|
||||
<li><a href="{% url 'combo-manager-site-import' %}">{% trans 'Import Site' %}</a></li>
|
||||
|
@ -37,7 +37,7 @@ Use drag and drop with the ⣿ handles to reorder and change hierarchy of pages.
|
|||
<div class="objects-list" id="pages-list" data-page-order-url="{% url 'combo-manager-page-order' %}">
|
||||
{% for page in object_list %}
|
||||
<div class="page level-{{page.level}}{% if collapse_pages %} untoggled{% endif %}" data-page-id="{{page.id}}" data-level="{{page.level}}">
|
||||
{% if user.is_staff %}<span class="handle">⣿</span>{% endif %}
|
||||
{% if user.is_superuser %}<span class="handle">⣿</span>{% endif %}
|
||||
<span class="group1">
|
||||
<a href="{% url 'combo-manager-page-view' pk=page.id %}">
|
||||
{{ page.title }}
|
||||
|
|
|
@ -11,7 +11,7 @@
|
|||
<ul class="extra-actions-menu">
|
||||
<li><a class="action-history" href="{% url 'combo-manager-page-history' pk=object.id %}">{% trans 'History' %}</a></li>
|
||||
<li><a {% if page_has_subpages %}rel="popup" data-autoclose-dialog="true" {% endif %}class="action-export" href="{% url 'combo-manager-page-export' pk=object.id %}">{% trans 'Export' %}</a></li>
|
||||
{% if request.user.is_staff %}
|
||||
{% if request.user.is_superuser %}
|
||||
<li><a class="action-add-child" rel="popup" href="{% url 'combo-manager-page-add-child' pk=object.id %}">{% trans 'Add a child page' %}</a></li>
|
||||
<li><a class="action-edit-roles" rel="popup" href="{% url 'combo-manager-page-edit-roles' pk=object.id %}">{% trans 'Manage edit roles' %}</a></li>
|
||||
<li><a rel="popup" class="action-duplicate" href="{% url 'combo-manager-page-duplicate' pk=object.id %}">{% trans 'Duplicate' %}</a></li>
|
||||
|
@ -96,7 +96,7 @@
|
|||
<div class="page-options navigation">
|
||||
<h3>{% trans 'Navigation' %}</h3>
|
||||
<ul>
|
||||
{% if object.parent_id and request.user.is_staff %}
|
||||
{% if object.parent_id and request.user.is_superuser %}
|
||||
<li class="nav-up"><a href="{% url 'combo-manager-page-view' pk=object.parent_id %}">{{ object.parent.title }}</a></li>
|
||||
{% endif %}
|
||||
{% if previous_page %}
|
||||
|
|
|
@ -80,7 +80,7 @@ from .forms import (
|
|||
|
||||
|
||||
def can_add_page(user):
|
||||
if user.is_staff:
|
||||
if user.is_superuser:
|
||||
return True
|
||||
group_ids = [x.id for x in user.groups.all()]
|
||||
return bool(Page.objects.filter(subpages_edit_role_id__in=group_ids).exists())
|
||||
|
@ -194,7 +194,7 @@ class PageAddView(CreateView):
|
|||
template_name = 'combo/page_add.html'
|
||||
|
||||
def get_form_class(self):
|
||||
if self.request.user.is_staff:
|
||||
if self.request.user.is_superuser:
|
||||
return PageAddForm
|
||||
elif can_add_page(self.request.user):
|
||||
return PageRestrictedAddForm
|
||||
|
|
|
@ -115,7 +115,7 @@ def ajax_page_cell(request, page_pk, cell_reference):
|
|||
except Page.DoesNotExist:
|
||||
raise Http404()
|
||||
# as it's from a snapshot access is limited to managers
|
||||
if not (request.user and request.user.is_staff):
|
||||
if not (request.user and request.user.is_superuser):
|
||||
raise PermissionDenied()
|
||||
|
||||
if not page.is_visible(request.user):
|
||||
|
|
|
@ -59,7 +59,7 @@ def decorated_includes(func, includes, *args, **kwargs):
|
|||
|
||||
def manager_required(function=None, login_url=None):
|
||||
def check_manager(user):
|
||||
if user and user.is_staff:
|
||||
if user and user.is_superuser:
|
||||
return True
|
||||
if user and not user.is_anonymous:
|
||||
from combo.data.models import Page
|
||||
|
@ -81,7 +81,7 @@ def manager_required(function=None, login_url=None):
|
|||
|
||||
def staff_required(function=None, login_url=None):
|
||||
def check_staff(user):
|
||||
if user and user.is_staff:
|
||||
if user and user.is_superuser:
|
||||
return True
|
||||
if user and not user.is_anonymous:
|
||||
raise PermissionDenied()
|
||||
|
|
Loading…
Reference in New Issue