Protect views from viewing if the user has no right to view an object

apps/note/api/views.py

@@ -6,6 +6,7 @@ from django_filters.rest_framework import DjangoFilterBackend
 from rest_framework.filters import OrderingFilter, SearchFilter
 
 from api.viewsets import ReadProtectedModelViewSet
+from member.backends import PermissionBackend
 from .serializers import NoteSerializer, NotePolymorphicSerializer, NoteClubSerializer, NoteSpecialSerializer, \
     NoteUserSerializer, AliasSerializer, \
     TemplateCategorySerializer, TransactionTemplateSerializer, TransactionPolymorphicSerializer
@@ -70,7 +71,7 @@ class NotePolymorphicViewSet(ReadProtectedModelViewSet):
         Parse query and apply filters.
         :return: The filtered set of requested notes
         """
-        queryset = super().get_queryset()
+        queryset = super().get_queryset().filter(PermissionBackend.filter_queryset(self.request.user, Note, "view"))
 
         alias = self.request.query_params.get("alias", ".*")
         queryset = queryset.filter(
@@ -110,7 +111,7 @@ class AliasViewSet(ReadProtectedModelViewSet):
         :return: The filtered set of requested aliases
         """
 
-        queryset = super().get_queryset()
+        queryset = super().get_queryset().filter(PermissionBackend.filter_queryset(self.request.user, Alias, "view"))
 
         alias = self.request.query_params.get("alias", ".*")
         queryset = queryset.filter(

apps/note/models/transactions.py

@@ -129,13 +129,14 @@ class Transaction(PolymorphicModel):
             models.Index(fields=['destination']),
         ]
 
-    def post_save(self, *args, **kwargs):
+    def save(self, *args, **kwargs):
         """
         When saving, also transfer money between two notes
         """
 
         if self.source.pk == self.destination.pk:
             # When source == destination, no money is transfered
+            super().save(*args, **kwargs)
             return
 
         created = self.pk is None

apps/note/views.py

@@ -9,6 +9,7 @@ from django.utils.translation import gettext_lazy as _
 from django.views.generic import CreateView, ListView, UpdateView
 from django_tables2 import SingleTableView
 
+from member.backends import PermissionBackend
 from .forms import TransactionTemplateForm
 from .models import Transaction, TransactionTemplate, Alias, TemplateTransaction, NoteSpecial
 from .models.transactions import SpecialTransaction
@@ -18,16 +19,18 @@ from .tables import HistoryTable
 class TransactionCreate(LoginRequiredMixin, SingleTableView):
     """
     Show transfer page
-
-    TODO: If user have sufficient rights, they can transfer from an other note
     """
-    queryset = Transaction.objects.order_by("-id").all()[:50]
     template_name = "note/transaction_form.html"
 
     # Transaction history table
     table_class = HistoryTable
     table_pagination = {"per_page": 50}
 
+    def get_queryset(self):
+        return Transaction.objects.filter(PermissionBackend
+                                          .filter_queryset(self.request.user, Transaction, "view")) \
+                                            .order_by("-id").all()[:50]
+
     def get_context_data(self, **kwargs):
         """
         Add some context variables in template such as page title
@@ -117,21 +120,26 @@ class ConsoView(LoginRequiredMixin, SingleTableView):
     """
     Consume
     """
-    queryset = Transaction.objects.order_by("-id").all()[:50]
     template_name = "note/conso_form.html"
 
     # Transaction history table
     table_class = HistoryTable
     table_pagination = {"per_page": 50}
 
+    def get_queryset(self):
+        return Transaction.objects.filter(PermissionBackend
+                                          .filter_queryset(self.request.user, Transaction, "view")) \
+                                            .order_by("-id").all()[:50]
+
     def get_context_data(self, **kwargs):
         """
         Add some context variables in template such as page title
         """
         context = super().get_context_data(**kwargs)
         from django.db.models import Count
-        buttons = TransactionTemplate.objects.filter(display=True) \
-            .annotate(clicks=Count('templatetransaction')).order_by('category__name', 'name')
+        buttons = TransactionTemplate.objects.filter(PermissionBackend()
+                                                     .filter_queryset(self.request.user, TransactionTemplate, "view")) \
+            .filter(display=True).annotate(clicks=Count('templatetransaction')).order_by('category__name', 'name')
         context['transaction_templates'] = buttons
         context['most_used'] = buttons.order_by('-clicks', 'name')[:10]
         context['title'] = _("Consumptions")