From 4ad12ab40a979f4201d7b31826623af20afba81f Mon Sep 17 00:00:00 2001
From: FreneticScribbler <aj@aronajones.com>
Date: Sat, 11 Jan 2020 21:09:15 +0000
Subject: [PATCH] FIX: Prevent basic users seeing individual asset version
 history

I prevented them from seeing the change stream, didn't prevent them seeing individual histories. This has to be done as otherwise it leaks financial information. If I can be arsed I'll come back to this and allow basic users to see a filtered version.
---
 assets/templates/asset_update.html |  2 +-
 assets/urls.py                     |  2 +-
 templates/base_assets.html         | 10 +++++-----
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/assets/templates/asset_update.html b/assets/templates/asset_update.html
index cdc51f50..6e950887 100644
--- a/assets/templates/asset_update.html
+++ b/assets/templates/asset_update.html
@@ -44,7 +44,7 @@
   </div>
 </form>
 
-{% if not edit %}
+{% if not edit and perms.assets.view_asset %}
 <div class="col-sm-12 text-right">
     <div>
         <a href="{% url 'asset_history' object.asset_id %}" title="View Revision History">
diff --git a/assets/urls.py b/assets/urls.py
index 3acac945..dcfb5d24 100644
--- a/assets/urls.py
+++ b/assets/urls.py
@@ -15,7 +15,7 @@ urlpatterns = [
          (views.AssetEdit.as_view()), name='asset_update'),
     path('asset/id/<str:pk>/duplicate/', permission_required_with_403('assets.add_asset')
          (views.AssetDuplicate.as_view()), name='asset_duplicate'),
-    path('asset/id/<str:pk>/history/', views.AssetVersionHistory.as_view(),
+    path('asset/id/<str:pk>/history/', permission_required_with_403('assets.view_asset')(views.AssetVersionHistory.as_view()),
          name='asset_history', kwargs={'model': models.Asset}),
     path('activity', permission_required_with_403('assets.view_asset')
          (views.ActivityTable.as_view()), name='asset_activity_table'),
diff --git a/templates/base_assets.html b/templates/base_assets.html
index 0b6aeaa8..636c70df 100644
--- a/templates/base_assets.html
+++ b/templates/base_assets.html
@@ -10,7 +10,7 @@
 {% endblock %}
 
 {% block titleelements %}
-    {% if perms.assets.view_asset %}
+    {# % if perms.assets.view_asset % #}
         <li class="dropdown">
             <a href="#" class="dropdown-toggle" data-toggle="dropdown">Assets<b class="caret"></b></a>
             <ul class="dropdown-menu">
@@ -20,19 +20,19 @@
                 {% endif %}
             </ul>
         </li>
-    {% endif %}
-    {% if perms.assets.view_supplier %}
+    {# % endif % #}
+    {# % if perms.assets.view_supplier % #}
         <li class="dropdown">
             <a href="#" class="dropdown-toggle" data-toggle="dropdown"> Suppliers<b class="caret"></b></a>
             <ul class="dropdown-menu">
                 <li><a href="{% url 'supplier_list' %}"><span class="glyphicon glyphicon-list"></span>
                     List Suppliers</a></li>
-                {% if perms.assets.add_asset %}
+                {% if perms.assets.add_supplier %}
                     <li><a href="{% url 'supplier_create' %}"><span class="glyphicon glyphicon-plus"></span> Create Supplier</a></li>
                 {% endif %}
             </ul>
         </li>
-    {% endif %}
+    {# % endif % #}
     {% if perms.assets.view_asset %}
         <li><a href="{% url 'asset_activity_table' %}">Recent Changes</a></li>
     {% endif %}