permission check moved to get_object

marktplatz/models.py

@@ -180,22 +180,26 @@ class Product(models.Model):
     # credits = ForeignKey(Credit, null = True, blank=True, on_delete=models.SET_NULL, help_text="")
     #interaction = ForeignKey(Interaction, null = True,on_delete = models.SET_NULL, help_text="")
 
+
     def user_can_manage(self, user):
         return user.contact.id == self.contact.id
-        # print (user.contact.id, self.contact.id)
-        # return user == self.user or user.has_perm('your_app.manage_object')
-
-    @classmethod
-    def get_manageable_or_404(cls, user, *args, **kwargs):
-        item = get_object_or_404(cls, *args, **kwargs)
-        if not item.user_can_manage(user):
-            raise PermissionDenied
-        return item
-
-    @classmethod
-    def check_manageable(cls, user, *args, **kwargs):
-        product = get_object_or_404(cls, *args, **kwargs)
-        if product.user_can_manage(user):
+
+    # @classmethod
+    # def get_manageable_or_404(cls, user, *args, **kwargs):
+    #     item = get_object_or_404(cls, *args, **kwargs)
+    #     if not item.user_can_manage(user):
+    #         raise PermissionDenied
+    #     return item
+    #
+    # @classmethod
+    # def check_manageable(cls, user, *args, **kwargs):
+    #     product = get_object_or_404(cls, *args, **kwargs)
+    #     if product.user_can_manage(user):
+    #         return True
+    #     return False
+
+    def obj_check_manageable(self, user, *args, **kwargs):
+        if self.user_can_manage(user):
             return True
         return False
 

marktplatz/utils.py

@@ -2,21 +2,3 @@ from django.shortcuts import render, get_object_or_404, redirect
 from django.core.exceptions import PermissionDenied
 from django.http import HttpRequest, HttpResponse
 from .models import *
-
-def check_ownership(request: HttpRequest, *args, **kwargs) -> HttpRequest:
-    contact = Contact.objects.get(user=request.user)
-    # print ()
-
-    # try:
-    # product = Product.objects.get( pk=pk )
-    product = get_object_or_404( Product,  pk = kwargs['pk'] )
-    if (contact.id == product.contact.id ):
-        return True
-    return False
-
-    # get_object_or_404(Product, (Q(pk=pk) & Q(contact=contact)))
-    #
-    # if request.user = :
-    #     return request
-    # # Return a HTTP 403 back to the user
-    # raise PermissionDenied

marktplatz/views.py

@@ -787,13 +787,13 @@ class ProductUpdateView(LoginRequiredMixin, UpdateView):
     # success_url =
 
 
-    def dispatch(self, request, *args, **kwargs):
-        if not request.user.is_authenticated:
-            return self.handle_no_permission()
-
-        if self.model.check_manageable(request.user,  id= kwargs['pk']):
-            return super().dispatch(request, *args, **kwargs)
-        raise PermissionDenied
+    # def dispatch(self, request, *args, **kwargs):
+    #     if not request.user.is_authenticated:
+    #         return self.handle_no_permission()
+    #
+    #     if self.model.check_manageable(request.user,  id= kwargs['pk']):
+    #         return super().dispatch(request, *args, **kwargs)
+    #     raise PermissionDenied
 
 
     def get_context_data(self, **kwargs):
@@ -801,6 +801,12 @@ class ProductUpdateView(LoginRequiredMixin, UpdateView):
         context['info_txt'] = Template(config.INFO_TXT).render(Context(context))
         return context
 
+    def get_object(self, queryset=None):
+        obj = super().get_object()
+        if (  obj.obj_check_manageable(self.request.user)  ):
+            return obj
+        raise PermissionDenied
+
     def post(self, request, *args, **kwargs):
         if 'add-image' in request.POST:
             self.gotoPics = True