From 4dd89c0b730d00e5eb1e4dec31806f73694e20e0 Mon Sep 17 00:00:00 2001
From: FreneticScribbler <aj@aronajones.com>
Date: Thu, 23 Jan 2020 16:29:10 +0000
Subject: [PATCH] FIX: Re-prevent basic seeing reversion

This is to prevent financials/client data leaking when changed. Hopefully can show them a filtered version in future.
---
 RIGS/templates/RIGS/event_detail.html | 6 +++---
 RIGS/templates/RIGS/item_row.html     | 2 ++
 RIGS/templates/RIGS/item_table.html   | 2 ++
 RIGS/urls.py                          | 6 +++---
 4 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/RIGS/templates/RIGS/event_detail.html b/RIGS/templates/RIGS/event_detail.html
index 6e3bda81..b3e7d3a5 100644
--- a/RIGS/templates/RIGS/event_detail.html
+++ b/RIGS/templates/RIGS/event_detail.html
@@ -74,7 +74,7 @@
             {% endif %}
         </div>
     {% endif %}
-    <div class="col-sm-12 {% if event.is_rig %}col-md-6 col-lg-7{% endif %}">
+    <div class="col-sm-12 {% if event.is_rig and perms.RIGS.view_event %}col-md-6 col-lg-7{% endif %}">
         <div class="panel panel-info">
             <div class="panel-heading">Event Info</div>
             <div class="panel-body">
@@ -240,7 +240,7 @@
         </div>
         {% endif %}
     {% endif %}
-    {% if not request.is_ajax %}
+    {% if not request.is_ajax and perms.RIGS.view_event %}
         <div class="col-sm-12 text-right">
             <div>
                 <a href="{% url 'event_history' object.pk %}" title="View Revision History">
@@ -252,7 +252,7 @@
 </div>
 {% endblock %}
 
-{% if request.is_ajax %}
+{% if request.is_ajax and perms.RIGS.view_event %}
     {% block footer %}
         <div class="row">
             <div class="col-sm-10 align-left">
diff --git a/RIGS/templates/RIGS/item_row.html b/RIGS/templates/RIGS/item_row.html
index beb4bd75..b2ff0c44 100644
--- a/RIGS/templates/RIGS/item_row.html
+++ b/RIGS/templates/RIGS/item_row.html
@@ -8,7 +8,9 @@
 	</td>
     {% if perms.RIGS.view_event %}
 	<td>£&nbsp;<span class="cost">{{item.cost|floatformat:2}}</span></td>
+    {% endif %}
 	<td class="quantity">{{item.quantity}}</td>
+    {% if perms.RIGS.view_event %}
 	<td>£&nbsp;<span class="sub-total" data-subtotal="{{item.total_cost}}">{{item.total_cost|floatformat:2}}</span></td>
     {% endif %}
 	{% if edit %}
diff --git a/RIGS/templates/RIGS/item_table.html b/RIGS/templates/RIGS/item_table.html
index ce2013b9..9f055aa9 100644
--- a/RIGS/templates/RIGS/item_table.html
+++ b/RIGS/templates/RIGS/item_table.html
@@ -5,7 +5,9 @@
 				<td>Item</td>
                 {% if perms.RIGS.view_event %}
 				<td>Price</td>
+                {% endif %}
 				<td>Quantity</td>
+                {% if perms.RIGS.view_event %}
 				<td>Sub-total</td>
                 {% endif %}
 				{% if edit %}
diff --git a/RIGS/urls.py b/RIGS/urls.py
index bc630bcb..a8ac4259 100644
--- a/RIGS/urls.py
+++ b/RIGS/urls.py
@@ -81,10 +81,10 @@ urlpatterns = [
         login_required()(rigboard.WebCalendar.as_view()), name='web_calendar'),
     url(r'^rigboard/archive/$', RedirectView.as_view(permanent=True, pattern_name='event_archive')),
     url(r'^rigboard/activity/$',
-        login_required()(versioning.ActivityTable.as_view()),
+        permission_required_with_403('perms.RIGS.view_event')(versioning.ActivityTable.as_view()),
         name='activity_table'),
     url(r'^rigboard/activity/feed/$',
-        login_required()(versioning.ActivityFeed.as_view()),
+        permission_required_with_403('perms.RIGS.view_event')(versioning.ActivityFeed.as_view()),
         name='activity_feed'),
 
     url(r'^event/(?P<pk>\d+)/$', has_oembed(oembed_view="event_oembed")(
@@ -116,7 +116,7 @@ urlpatterns = [
         name='event_archive'),
 
     url(r'^event/(?P<pk>\d+)/history/$',
-        login_required()(versioning.VersionHistory.as_view()),
+        permission_required_with_403('RIGS.view_event')(versioning.VersionHistory.as_view()),
         name='event_history', kwargs={'model': models.Event}),
 
     # Finance