FIX: Prevent basic users seeing individual asset version history

I prevented them from seeing the change stream, didn't prevent them seeing individual histories. This has to be done as otherwise it leaks financial information. If I can be arsed I'll come back to this and allow basic users to see a filtered version.
2026-01-17 05:22:16 +00:00 · 2020-01-11 21:09:15 +00:00
parent 13205770f1
commit 4ad12ab40a
3 changed files with 7 additions and 7 deletions
--- a/assets/templates/asset_update.html
+++ b/assets/templates/asset_update.html
@@ -44,7 +44,7 @@
  </div>
 </form>

-{% if not edit %}
+{% if not edit and perms.assets.view_asset %}
 <div class="col-sm-12 text-right">
    <div>
        <a href="{% url 'asset_history' object.asset_id %}" title="View Revision History">
--- a/assets/urls.py
+++ b/assets/urls.py
@@ -15,7 +15,7 @@ urlpatterns = [
         (views.AssetEdit.as_view()), name='asset_update'),
    path('asset/id/<str:pk>/duplicate/', permission_required_with_403('assets.add_asset')
         (views.AssetDuplicate.as_view()), name='asset_duplicate'),
-    path('asset/id/<str:pk>/history/', views.AssetVersionHistory.as_view(),
+    path('asset/id/<str:pk>/history/', permission_required_with_403('assets.view_asset')(views.AssetVersionHistory.as_view()),
         name='asset_history', kwargs={'model': models.Asset}),
    path('activity', permission_required_with_403('assets.view_asset')
         (views.ActivityTable.as_view()), name='asset_activity_table'),