FIX: Re-prevent basic seeing reversion

This is to prevent financials/client data leaking when changed. Hopefully can show them a filtered version in future.
2026-01-22 07:52:15 +00:00 · 2020-01-23 16:29:10 +00:00
parent 20a6cca9d3
commit 4dd89c0b73
4 changed files with 10 additions and 6 deletions
--- a/RIGS/templates/RIGS/event_detail.html
+++ b/RIGS/templates/RIGS/event_detail.html
@@ -74,7 +74,7 @@
            {% endif %}
        </div>
    {% endif %}
-    <div class="col-sm-12 {% if event.is_rig %}col-md-6 col-lg-7{% endif %}">
+    <div class="col-sm-12 {% if event.is_rig and perms.RIGS.view_event %}col-md-6 col-lg-7{% endif %}">
        <div class="panel panel-info">
            <div class="panel-heading">Event Info</div>
            <div class="panel-body">
@@ -240,7 +240,7 @@
        </div>
        {% endif %}
    {% endif %}
-    {% if not request.is_ajax %}
+    {% if not request.is_ajax and perms.RIGS.view_event %}
        <div class="col-sm-12 text-right">
            <div>
                <a href="{% url 'event_history' object.pk %}" title="View Revision History">
@@ -252,7 +252,7 @@
 </div>
 {% endblock %}
-{% if request.is_ajax %}
+{% if request.is_ajax and perms.RIGS.view_event %}
    {% block footer %}
        <div class="row">
            <div class="col-sm-10 align-left">
--- a/RIGS/templates/RIGS/item_row.html
+++ b/RIGS/templates/RIGS/item_row.html
@@ -8,7 +8,9 @@
 	</td>
    {% if perms.RIGS.view_event %}
 	<td>£&nbsp;<span class="cost">{{item.cost|floatformat:2}}</span></td>
    {% endif %}
 	<td class="quantity">{{item.quantity}}</td>
    {% if perms.RIGS.view_event %}
 	<td>£&nbsp;<span class="sub-total" data-subtotal="{{item.total_cost}}">{{item.total_cost|floatformat:2}}</span></td>
    {% endif %}
 	{% if edit %}
--- a/RIGS/templates/RIGS/item_table.html
+++ b/RIGS/templates/RIGS/item_table.html
@@ -5,7 +5,9 @@
 				<td>Item</td>
                {% if perms.RIGS.view_event %}
 				<td>Price</td>
                {% endif %}
 				<td>Quantity</td>
                {% if perms.RIGS.view_event %}
 				<td>Sub-total</td>
                {% endif %}
 				{% if edit %}
--- a/RIGS/urls.py
+++ b/RIGS/urls.py
@@ -81,10 +81,10 @@ urlpatterns = [
        login_required()(rigboard.WebCalendar.as_view()), name='web_calendar'),
    url(r'^rigboard/archive/$', RedirectView.as_view(permanent=True, pattern_name='event_archive')),
    url(r'^rigboard/activity/$',
-        login_required()(versioning.ActivityTable.as_view()),
+        permission_required_with_403('perms.RIGS.view_event')(versioning.ActivityTable.as_view()),
        name='activity_table'),
    url(r'^rigboard/activity/feed/$',
-        login_required()(versioning.ActivityFeed.as_view()),
+        permission_required_with_403('perms.RIGS.view_event')(versioning.ActivityFeed.as_view()),
        name='activity_feed'),
    url(r'^event/(?P<pk>\d+)/$', has_oembed(oembed_view="event_oembed")(
@@ -116,7 +116,7 @@ urlpatterns = [
        name='event_archive'),
    url(r'^event/(?P<pk>\d+)/history/$',
-        login_required()(versioning.VersionHistory.as_view()),
+        permission_required_with_403('RIGS.view_event')(versioning.VersionHistory.as_view()),
        name='event_history', kwargs={'model': models.Event}),
    # Finance