Improved permissions, 404 and 403 errors will be more frequent (when we type an invalid URL)

2025-06-21 01:48:21 +02:00 · 2020-03-31 04:16:30 +02:00
parent c384ee02eb
commit 1aae18e6a6
13 changed files with 272 additions and 105 deletions
--- a/apps/permission/models.py
+++ b/apps/permission/models.py
@ -38,20 +38,29 @@ class InstancedPermission:
            if permission_type == self.type:
                self.update_query()

-                # Don't increase indexes
-                obj.pk = 0
+                # Don't increase indexes, if the primary key is an AutoField
+                if not hasattr(obj, "pk") or not obj.pk:
+                    obj.pk = 0
+                    oldpk = None
+                else:
+                    oldpk = obj.pk
+                # Ensure previous models are deleted
+                self.model.model_class().objects.filter(pk=obj.pk).delete()
                # Force insertion, no data verification, no trigger
                Model.save(obj, force_insert=True)
-                ret = obj in self.model.model_class().objects.filter(self.query).all()
+                ret = self.model.model_class().objects.filter(self.query & Q(pk=obj.pk)).exists()
                # Delete testing object
                Model.delete(obj)
+
+                # If the primary key was specified, we restore it
+                obj.pk = oldpk
                return ret

        if permission_type == self.type:
            if self.field and field_name != self.field:
                return False
            self.update_query()
-            return obj in self.model.model_class().objects.filter(self.query).all()
+            return self.model.model_class().objects.filter(self.query & Q(pk=obj.pk)).exists()
        else:
            return False