Only staff with good permission mask can visit Django Admin

2025-06-21 01:48:21 +02:00 · 2020-07-29 11:38:59 +02:00
parent d455c5c533
commit b8a88eeda4
13 changed files with 196 additions and 162 deletions
--- a/apps/permission/backends.py
+++ b/apps/permission/backends.py
@ -42,7 +42,7 @@ class PermissionBackend(ModelBackend):

        for membership in memberships:
            for role in membership.roles.all():
-                for perm in role.permissions.filter(type=t, mask__rank__lte=get_current_session().get("permission_mask", 42)).all():
+                for perm in role.permissions.filter(type=t, mask__rank__lte=get_current_session().get("permission_mask", -1)).all():
                    if not perm.permanent:
                        if membership.date_start > timezone.now().date() or membership.date_end < timezone.now().date():
                            continue
@ -101,7 +101,7 @@ class PermissionBackend(ModelBackend):
            # Anonymous users can't do anything
            return Q(pk=-1)

-        if user.is_superuser and get_current_session().get("permission_mask", 42) >= 42:
+        if user.is_superuser and get_current_session().get("permission_mask", -1) >= 42:
            # Superusers have all rights
            return Q()

@ -137,7 +137,7 @@ class PermissionBackend(ModelBackend):
        if sess is not None and sess.session_key is None:
            return False

-        if user_obj.is_superuser and get_current_session().get("permission_mask", 42) >= 42:
+        if user_obj.is_superuser and get_current_session().get("permission_mask", -1) >= 42:
            return True

        if obj is None: