From 10a2984cde1026d1dbfb9a03bcd262f1942fb4d3 Mon Sep 17 00:00:00 2001 From: Nick Smith Date: Fri, 11 Jul 2014 11:46:18 +0100 Subject: [PATCH] More granular group view permissions checks --- wagtail/wagtailusers/views/groups.py | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/wagtail/wagtailusers/views/groups.py b/wagtail/wagtailusers/views/groups.py index 6515bea43..008a8cb0b 100644 --- a/wagtail/wagtailusers/views/groups.py +++ b/wagtail/wagtailusers/views/groups.py @@ -1,6 +1,6 @@ from django.shortcuts import render, redirect, get_object_or_404 from django.contrib.auth.models import Group -from django.contrib.auth.decorators import permission_required +from django.contrib.auth.decorators import permission_required, user_passes_test from django.core.paginator import Paginator, EmptyPage, PageNotAnInteger from django.contrib import messages from django.utils.translation import ugettext as _ @@ -11,10 +11,15 @@ from wagtail.wagtailadmin.forms import SearchForm from wagtail.wagtailusers.forms import GroupForm, BaseGroupPagePermissionFormSet from wagtail.wagtailcore.models import GroupPagePermission -change_group_perm = "auth.change_group" + +def user_has_group_model_perm(user): + for verb in ['add', 'change', 'delete']: + if user.has_perm('auth.%s_group' % verb): + return True + return False -@permission_required(change_group_perm) +@user_passes_test(user_has_group_model_perm) @vary_on_headers('X-Requested-With') def index(request): q = None @@ -71,7 +76,7 @@ def index(request): }) -@permission_required(change_group_perm) +@permission_required('auth.add_group') def create(request): GroupPagePermissionFormSet = inlineformset_factory( Group, @@ -100,7 +105,7 @@ def create(request): }) -@permission_required(change_group_perm) +@permission_required('auth.change_group') def edit(request, group_id): group = get_object_or_404(Group, id=group_id) GroupPagePermissionFormSet = inlineformset_factory(