FIX: Prevent basic users seeing individual asset version history

I prevented them from seeing the change stream, didn't prevent them seeing individual histories. This has to be done as otherwise it leaks financial information. If I can be arsed I'll come back to this and allow basic users to see a filtered version.
2026-01-17 05:22:16 +00:00 · 2020-01-11 21:09:15 +00:00
parent 13205770f1
commit 4ad12ab40a
3 changed files with 7 additions and 7 deletions
--- a/assets/templates/asset_update.html
+++ b/assets/templates/asset_update.html
@@ -44,7 +44,7 @@
  </div>
 </form>

-{% if not edit %}
+{% if not edit and perms.assets.view_asset %}
 <div class="col-sm-12 text-right">
    <div>
        <a href="{% url 'asset_history' object.asset_id %}" title="View Revision History">
--- a/assets/urls.py
+++ b/assets/urls.py
@@ -15,7 +15,7 @@ urlpatterns = [
         (views.AssetEdit.as_view()), name='asset_update'),
    path('asset/id/<str:pk>/duplicate/', permission_required_with_403('assets.add_asset')
         (views.AssetDuplicate.as_view()), name='asset_duplicate'),
-    path('asset/id/<str:pk>/history/', views.AssetVersionHistory.as_view(),
+    path('asset/id/<str:pk>/history/', permission_required_with_403('assets.view_asset')(views.AssetVersionHistory.as_view()),
         name='asset_history', kwargs={'model': models.Asset}),
    path('activity', permission_required_with_403('assets.view_asset')
         (views.ActivityTable.as_view()), name='asset_activity_table'),
--- a/templates/base_assets.html
+++ b/templates/base_assets.html
@@ -10,7 +10,7 @@
 {% endblock %}

 {% block titleelements %}
-    {% if perms.assets.view_asset %}
+    {# % if perms.assets.view_asset % #}
        <li class="dropdown">
            <a href="#" class="dropdown-toggle" data-toggle="dropdown">Assets<b class="caret"></b></a>
            <ul class="dropdown-menu">
@@ -20,19 +20,19 @@
                {% endif %}
            </ul>
        </li>
-    {% endif %}
-    {% if perms.assets.view_supplier %}
+    {# % endif % #}
+    {# % if perms.assets.view_supplier % #}
        <li class="dropdown">
            <a href="#" class="dropdown-toggle" data-toggle="dropdown"> Suppliers<b class="caret"></b></a>
            <ul class="dropdown-menu">
                <li><a href="{% url 'supplier_list' %}"><span class="glyphicon glyphicon-list"></span>
                    List Suppliers</a></li>
-                {% if perms.assets.add_asset %}
+                {% if perms.assets.add_supplier %}
                    <li><a href="{% url 'supplier_create' %}"><span class="glyphicon glyphicon-plus"></span> Create Supplier</a></li>
                {% endif %}
            </ul>
        </li>
-    {% endif %}
+    {# % endif % #}
    {% if perms.assets.view_asset %}
        <li><a href="{% url 'asset_activity_table' %}">Recent Changes</a></li>
    {% endif %}