triv: permissions for actions change

oko-x · oko-x · commit aebd8700bc45 · 2024-05-14T13:32:53.000+02:00
diff --git a/src/django_smartbase_admin/actions/admin_action_list.py b/src/django_smartbase_admin/actions/admin_action_list.py
@@ -119,17 +119,6 @@ def get_excel_columns(self):
             if field.field in values
         ]
 
-    def process_actions_permissions(self, actions):
-        result = []
-        for action in actions:
-            if self.view.has_permission(
-                self.threadsafe_request,
-                obj=None,
-                permission=action,
-            ):
-                result.append(action)
-        return result
-
     def get_template_data(self):
         context_data = self.view.get_context_data(self.threadsafe_request)
         constants = {
@@ -166,17 +155,18 @@ def get_template_data(self):
         tabulator_definition["constants"] = constants
 
         list_actions = self.list_actions or self.view._get_sbadmin_list_actions()
-        list_selection_actions = self.view.get_sbadmin_list_selection_actions_grouped()
 
         context_data.update(
             {
                 "const": constants,
                 "tabulator_definition": tabulator_definition,
                 "id_column_name": id_column_name,
                 "filters": self.get_filters(),
-                "list_actions": self.process_actions_permissions(list_actions),
-                "list_selection_actions": self.process_actions_permissions(
-                    list_selection_actions
+                "list_actions": self.view.process_actions_permissions(
+                    self.threadsafe_request, list_actions
+                ),
+                "list_selection_actions": self.view.get_sbadmin_list_selection_actions_grouped(
+                    self.threadsafe_request
                 ),
                 "config_url": self.view.get_config_url(),
                 "new_url": (
diff --git a/src/django_smartbase_admin/engine/actions.py b/src/django_smartbase_admin/engine/actions.py
@@ -1,32 +1,48 @@
+from django.core.exceptions import ImproperlyConfigured
 from django.utils.text import slugify
 
 
 class SBAdminCustomAction(object):
     title = None
     url = None
-    slug = None
+    view = None
+    action_id = None
     css_class = None
     no_params = False
     open_in_modal = False
 
     def __init__(
         self,
         title,
-        url,
-        slug=None,
+        url=None,
+        view=None,
+        action_id=None,
+        action_modifier=None,
         css_class=None,
         no_params=False,
         open_in_modal=False,
         group=None,
     ) -> None:
         super().__init__()
+
+        if not (url or (view and action_id)):
+            raise ImproperlyConfigured(
+                "You must provide either url or view and action_id"
+            )
+
         self.title = title
         self.url = url
-        self.slug = slug if slug is not None else slugify(title)
+        self.view = view
+        self.action_id = action_id
+        self.action_modifier = action_modifier
         self.css_class = css_class
         self.no_params = no_params
         self.open_in_modal = open_in_modal
         self.group = group
+        if not url and not action_modifier:
+            self.url = self.view.get_action_url(self.action_id)
+        if not url and action_modifier is not None:
+            self.url = self.view.get_action_url(self.action_id, action_modifier)
 
 
 class SBAdminAction(object):
diff --git a/src/django_smartbase_admin/engine/admin_base_view.py b/src/django_smartbase_admin/engine/admin_base_view.py
@@ -65,11 +65,25 @@ def has_change_permission(self, request, obj=None):
     def has_delete_permission(self, request, obj=None):
         return self.has_permission(request, obj, "delete")
 
+    def has_permission_for_action(self, request, action_id):
+        return self.has_permission(
+            request,
+            obj=None,
+            permission=action_id,
+        )
+
     def has_view_or_change_permission(self, request, obj=None):
         return self.has_view_permission(request, obj) or self.has_change_permission(
             request, obj
         )
 
+    def process_actions_permissions(self, request, actions):
+        result = []
+        for action in actions:
+            if self.has_permission_for_action(request, action.action_id):
+                result.append(action)
+        return result
+
     def init_view_dynamic(self, request, request_data=None, **kwargs):
         if not self.has_view_or_change_permission(request):
             raise PermissionDenied
@@ -96,6 +110,9 @@ def action_view(self, request, action=None, modifier=None):
         action_function = getattr(self, action, None)
         if not action_function:
             raise Http404
+        permitted_action = self.has_permission_for_action(request, action)
+        if not permitted_action:
+            raise PermissionDenied
         return action_function(request, modifier)
 
     def get_action_url(self, action, modifier="template"):
@@ -367,7 +384,8 @@ def _get_sbadmin_list_actions(self):
                 *list_actions,
                 SBAdminCustomAction(
                     title=_(f"Reorder {self.model._meta.verbose_name}"),
-                    url=self.get_action_url(Action.ENTER_REORDER.value),
+                    view=self,
+                    action_id=Action.ENTER_REORDER.value,
                     no_params=True,
                 ),
             ]
@@ -378,7 +396,8 @@ def get_sbadmin_list_actions(self):
             self.sbadmin_list_actions = [
                 SBAdminCustomAction(
                     title=_("Download XLSX"),
-                    url=self.get_action_url(action=Action.XLSX_EXPORT.value),
+                    view=self,
+                    action_id=Action.XLSX_EXPORT.value,
                 )
             ]
         return self.sbadmin_list_actions
@@ -388,19 +407,24 @@ def get_sbadmin_list_selection_actions(self):
             self.sbadmin_list_selection_actions = [
                 SBAdminCustomAction(
                     title=_("Export Selected"),
-                    url=self.get_action_url(action=Action.XLSX_EXPORT.value),
+                    view=self,
+                    action_id=Action.XLSX_EXPORT.value,
                 ),
                 SBAdminCustomAction(
                     title=_("Delete Selected"),
-                    url=self.get_action_url(action=Action.BULK_DELETE.value),
+                    view=self,
+                    action_id=Action.BULK_DELETE.value,
                     css_class="btn-destructive",
                 ),
             ]
         return self.sbadmin_list_selection_actions
 
-    def get_sbadmin_list_selection_actions_grouped(self):
+    def get_sbadmin_list_selection_actions_grouped(self, request):
         result = {}
-        for action in self.get_sbadmin_list_selection_actions():
+        list_selection_actions = self.process_actions_permissions(
+            request, self.get_sbadmin_list_selection_actions()
+        )
+        for action in list_selection_actions:
             if not result.get(action.group):
                 result.update({action.group: []})
             result[action.group].append(action)
