Commit 4b8dd744 authored by Romain Courteaud's avatar Romain Courteaud

[erp5_hal_json_style] Base_edit: return an 403 code if user can't edit the document

parent bc823dd5
...@@ -22,18 +22,17 @@ if request.get('field_prefix', None): ...@@ -22,18 +22,17 @@ if request.get('field_prefix', None):
if dialog_id not in ('', None): if dialog_id not in ('', None):
form_id = dialog_id form_id = dialog_id
# Prevent users who don't have rights to edit the object from
# editing it by calling the Base_edit script with correct
# parameters directly.
if not silent_mode and not request.AUTHENTICATED_USER.has_permission('Modify portal content', context) :
msg = Base_translateString("You do not have the permissions to edit the object.")
redirect_url = '%s/%s?selection_index=%s&selection_name=%s&%s' % (context.absolute_url(), form_id, selection_index, selection_name, 'portal_status_message=%s' % msg)
return context.Base_redirect(redirect_url)
# Get the form # Get the form
form = getattr(context,form_id) form = getattr(context,form_id)
edit_order = form.edit_order edit_order = form.edit_order
# Prevent users who don't have rights to edit the object from
# editing it by calling the Base_edit script with correct
# parameters directly.
if not silent_mode and not request.AUTHENTICATED_USER.has_permission('Modify portal content', context):
request.RESPONSE.setStatus(403)
return context.ERP5Document_getHateoas(form=form, REQUEST=request, mode='form')
try: try:
# Validate # Validate
form.validate_all_to_request(request, key_prefix=key_prefix) form.validate_all_to_request(request, key_prefix=key_prefix)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment