add permission control for general_option & exchange_menu

wuyue92tree · wuyue92tree · commit af31a30fc71b · 2019-07-10T17:19:44.000+08:00
diff --git a/adminlteui/admin.py b/adminlteui/admin.py
@@ -10,7 +10,7 @@
 from django.utils.translation import gettext_lazy as _
 from django.utils.html import format_html
 from django.conf import settings
-from django.http.response import HttpResponse
+from django.http.response import HttpResponse, HttpResponseForbidden
 from adminlteui.widgets import AdminlteSelect
 from treebeard.admin import TreeAdmin
 from treebeard.forms import movenodeform_factory
@@ -144,6 +144,11 @@ def get_urls(self):
         return urls + base_urls
 
     def general_option_view(self, request):
+        if request.user.has_perm('django_admin_settings.add_options') is False \
+                and request.user.has_perm(
+            'django_admin_settings.change_options') is False:
+            return HttpResponseForbidden(format_html('<h1>403 Forbidden</h1>'))
+
         context = dict(
             self.admin_site.each_context(request),
         )
@@ -230,6 +235,8 @@ def get_urls(self):
         return urls + base_urls
 
     def exchange_menu_view(self, request):
+        if request.user.has_perm('django_admin_settings.view_menu') is False:
+            return HttpResponseForbidden(format_html('<h1>403 Forbidden</h1>'))
         if request.is_ajax():
             response_data = dict()
             response_data['message'] = 'success'
@@ -244,12 +251,14 @@ def exchange_menu_view(self, request):
             if not use_custom_menu or use_custom_menu.option_value == '0':
                 use_custom_menu.option_value = '1'
                 use_custom_menu.save()
-                messages.add_message(request, messages.SUCCESS, _('Menu exchanged, current is `custom menu`.'))
+                messages.add_message(request, messages.SUCCESS, _(
+                    'Menu exchanged, current is `custom menu`.'))
 
             else:
                 use_custom_menu.option_value = '0'
                 use_custom_menu.save()
-                messages.add_message(request, messages.SUCCESS, _('Menu exchanged, current is `system menu`.'))
+                messages.add_message(request, messages.SUCCESS, _(
+                    'Menu exchanged, current is `system menu`.'))
             return HttpResponse(json.dumps(response_data),
                                 content_type="application/json,charset=utf-8")
         return HttpResponse('method not allowed.')
diff --git a/adminlteui/templatetags/adminlte_menu.py b/adminlteui/templatetags/adminlte_menu.py
@@ -42,7 +42,7 @@ def get_custom_menu(request):
     :return:
     """
     all_permissions = request.user.get_all_permissions()
-
+    print(all_permissions)
     limit_for_internal_link = []
     for permission in all_permissions:
         app_label = permission.split('.')[0]
@@ -75,7 +75,8 @@ def get_custom_menu(request):
             if children_item.get('data').get('link_type') == 0:
                 # internal link should connect a content_type, otherwise it will be hide.
                 if children_item.get('data').get('content_type'):
-                    obj = ContentType.objects.get(id=children_item.get('data').get('content_type'))
+                    obj = ContentType.objects.get(
+                        id=children_item.get('data').get('content_type'))
                     # if user hasn't permission, the model will be skip.
                     if obj.app_label + ':' + obj.model not in limit_for_internal_link:
                         continue
@@ -134,22 +135,23 @@ def get_menu(context, request):
 
     for app in available_apps:
         if app.get('app_label') == 'django_admin_settings':
-            app.get('models').insert(0,
-                                     {
-                                         'name': _('General Option'),
-                                         'object_name': 'Options',
-                                         'perms':
-                                             {
-                                                 'add': True,
-                                                 'change': True,
-                                                 'delete': True,
-                                                 'view': True
-                                             },
-                                         'admin_url': reverse(
-                                             'admin:general_option'),
-                                         'view_only': False
-                                     }
-                                     )
+            if request.user.has_perm('django_admin_settings.add_options') or \
+                    request.user.has_perm(
+                        'django_admin_settings.change_options'):
+                app.get('models').insert(0, {
+                    'name': _('General Option'),
+                    'object_name': 'Options',
+                    'perms':
+                        {
+                            'add': True,
+                            'change': True,
+                            'delete': True,
+                            'view': True
+                        },
+                    'admin_url': reverse(
+                        'admin:general_option'),
+                    'view_only': False
+                })
     # return MenuManager(available_apps, context, request)
     return available_apps
 
