From 0940388c67f17c3061e3d5f55861ee82646c9561 Mon Sep 17 00:00:00 2001
From: "J.-S. Caux" <J.S.Caux@uva.nl>
Date: Wed, 20 Feb 2019 05:03:51 +0100
Subject: [PATCH] Add viewing permissions for SubsidyAttachment
---
finances/models.py | 6 ++++++
finances/views.py | 4 +++-
2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/finances/models.py b/finances/models.py
index cd3c7012e..3776c57fd 100644
--- a/finances/models.py
+++ b/finances/models.py
@@ -71,6 +71,12 @@ class SubsidyAttachment(models.Model):
if self.subsidy:
return reverse('finances:subsidy_attachment', args=(self.subsidy.id, self.id))
+ def visible_to_user(self, current_user):
+ if self.publicly_visible or current_user.has_perm('scipost.can_manage_subsidies'):
+ return True
+ if self.subsidy.organization.contactrole_set.filter(contact__user=current_user).exists():
+ return True
+ return False
###########################
diff --git a/finances/views.py b/finances/views.py
index 3cd4089fd..544e7fa0b 100644
--- a/finances/views.py
+++ b/finances/views.py
@@ -7,6 +7,7 @@ import mimetypes
from django.contrib import messages
from django.contrib.auth.decorators import permission_required
from django.contrib.auth.mixins import LoginRequiredMixin
+from django.core.exceptions import PermissionDenied
from django.core.urlresolvers import reverse_lazy
from django.http import Http404, HttpResponse
from django.shortcuts import get_object_or_404, render
@@ -83,7 +84,8 @@ class SubsidyDetailView(DetailView):
def subsidy_attachment(request, subsidy_id, attachment_id):
attachment = get_object_or_404(SubsidyAttachment.objects,
subsidy__id=subsidy_id, id=attachment_id)
-
+ if not attachment.visible_to_user(request.user):
+ return PermissionDenied
content_type, encoding = mimetypes.guess_type(attachment.attachment.path)
content_type = content_type or 'application/octet-stream'
response = HttpResponse(attachment.attachment.read(), content_type=content_type)
--
GitLab