Fix note display for users that don't have enough rights

2025-06-20 17:41:55 +02:00 · 2020-03-19 14:25:43 +01:00
parent 7a4f929b36
commit d083894e9b
6 changed files with 34 additions and 46 deletions
--- a/apps/note/api/serializers.py
+++ b/apps/note/api/serializers.py
@ -4,6 +4,7 @@
 from rest_framework import serializers
 from rest_polymorphic.serializers import PolymorphicSerializer

+from logs.middlewares import get_current_authenticated_user
 from ..models.notes import Note, NoteClub, NoteSpecial, NoteUser, Alias
 from ..models.transactions import TransactionTemplate, Transaction, MembershipTransaction, TemplateCategory, \
    TemplateTransaction, SpecialTransaction
@ -77,7 +78,10 @@ class AliasSerializer(serializers.ModelSerializer):
        fields = '__all__'

    def get_note(self, alias):
-        return NotePolymorphicSerializer().to_representation(alias.note)
+        if get_current_authenticated_user().has_perm("note.view_note", alias.note):
+            return NotePolymorphicSerializer().to_representation(alias.note)
+        else:
+            return alias.note.id


 class NotePolymorphicSerializer(PolymorphicSerializer):
--- a/apps/note/api/views.py
+++ b/apps/note/api/views.py
@ -75,20 +75,7 @@ class NotePolymorphicViewSet(ReadProtectedModelViewSet):

        alias = self.request.query_params.get("alias", ".*")
        queryset = queryset.filter(
-            Q(alias__name__regex="^" + alias)
-            | Q(alias__normalized_name__regex="^" + alias.lower()))
-
-        note_type = self.request.query_params.get("type", None)
-        if note_type:
-            types = str(note_type).lower()
-            if "user" in types:
-                queryset = queryset.filter(polymorphic_ctype__model="noteuser")
-            elif "club" in types:
-                queryset = queryset.filter(polymorphic_ctype__model="noteclub")
-            elif "special" in types:
-                queryset = queryset.filter(polymorphic_ctype__model="notespecial")
-            else:
-                queryset = queryset.none()
+            Q(alias__name__regex="^" + alias) | Q(alias__normalized_name__regex="^" + alias.lower()))

        return queryset.distinct()

@ -117,25 +104,6 @@ class AliasViewSet(ReadProtectedModelViewSet):
        queryset = queryset.filter(
            Q(name__regex="^" + alias) | Q(normalized_name__regex="^" + alias.lower()))

-        note_id = self.request.query_params.get("note", None)
-        if note_id:
-            queryset = queryset.filter(id=note_id)
-
-        note_type = self.request.query_params.get("type", None)
-        if note_type:
-            types = str(note_type).lower()
-            if "user" in types:
-                queryset = queryset.filter(
-                    note__polymorphic_ctype__model="noteuser")
-            elif "club" in types:
-                queryset = queryset.filter(
-                    note__polymorphic_ctype__model="noteclub")
-            elif "special" in types:
-                queryset = queryset.filter(
-                    note__polymorphic_ctype__model="notespecial")
-            else:
-                queryset = queryset.none()
-
        return queryset


--- a/apps/permission/templatetags/perms.py
+++ b/apps/permission/templatetags/perms.py
@ -17,7 +17,9 @@ def has_perm(value):
@stringfilter
 def not_empty_model_list(model_name):
    user = get_current_authenticated_user()
-    if user.is_superuser:
+    if user is None:
+        return False
+    elif user.is_superuser:
        return True
    spl = model_name.split(".")
    ct = ContentType.objects.get(app_label=spl[0], model=spl[1])
@ -28,7 +30,9 @@ def not_empty_model_list(model_name):
@stringfilter
 def not_empty_model_change_list(model_name):
    user = get_current_authenticated_user()
-    if user.is_superuser:
+    if user is None:
+        return False
+    elif user.is_superuser:
        return True
    spl = model_name.split(".")
    ct = ContentType.objects.get(app_label=spl[0], model=spl[1])