From 13205770f10ced5e04f7c0e91a483122275fd622 Mon Sep 17 00:00:00 2001 From: FreneticScribbler Date: Sat, 11 Jan 2020 21:00:40 +0000 Subject: [PATCH 1/2] FIX: Correct template for AssetVersionHistory --- assets/views.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/assets/views.py b/assets/views.py index 395daac2..d0e5135e 100644 --- a/assets/views.py +++ b/assets/views.py @@ -213,8 +213,9 @@ class SupplierVersionHistory(versioning.VersionHistory): template_name = "asset_version_history.html" -# TODO: Reduce SQL queries class AssetVersionHistory(versioning.VersionHistory): + template_name = "asset_version_history.html" + def get_object(self, **kwargs): return get_object_or_404(models.Asset, asset_id=self.kwargs['pk']) From 4ad12ab40a979f4201d7b31826623af20afba81f Mon Sep 17 00:00:00 2001 From: FreneticScribbler Date: Sat, 11 Jan 2020 21:09:15 +0000 Subject: [PATCH 2/2] FIX: Prevent basic users seeing individual asset version history I prevented them from seeing the change stream, didn't prevent them seeing individual histories. This has to be done as otherwise it leaks financial information. If I can be arsed I'll come back to this and allow basic users to see a filtered version. --- assets/templates/asset_update.html | 2 +- assets/urls.py | 2 +- templates/base_assets.html | 10 +++++----- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/assets/templates/asset_update.html b/assets/templates/asset_update.html index cdc51f50..6e950887 100644 --- a/assets/templates/asset_update.html +++ b/assets/templates/asset_update.html @@ -44,7 +44,7 @@ -{% if not edit %} +{% if not edit and perms.assets.view_asset %}
diff --git a/assets/urls.py b/assets/urls.py index 3acac945..dcfb5d24 100644 --- a/assets/urls.py +++ b/assets/urls.py @@ -15,7 +15,7 @@ urlpatterns = [ (views.AssetEdit.as_view()), name='asset_update'), path('asset/id//duplicate/', permission_required_with_403('assets.add_asset') (views.AssetDuplicate.as_view()), name='asset_duplicate'), - path('asset/id//history/', views.AssetVersionHistory.as_view(), + path('asset/id//history/', permission_required_with_403('assets.view_asset')(views.AssetVersionHistory.as_view()), name='asset_history', kwargs={'model': models.Asset}), path('activity', permission_required_with_403('assets.view_asset') (views.ActivityTable.as_view()), name='asset_activity_table'), diff --git a/templates/base_assets.html b/templates/base_assets.html index 0b6aeaa8..636c70df 100644 --- a/templates/base_assets.html +++ b/templates/base_assets.html @@ -10,7 +10,7 @@ {% endblock %} {% block titleelements %} - {% if perms.assets.view_asset %} + {# % if perms.assets.view_asset % #}
  • Assets
      @@ -20,19 +20,19 @@ {% endif %}
    • - {% endif %} - {% if perms.assets.view_supplier %} + {# % endif % #} + {# % if perms.assets.view_supplier % #}
  • Suppliers
    • - {% endif %} + {# % endif % #} {% if perms.assets.view_asset %}
  • Recent Changes
    • {% endif %}