[per-object-permissions] Updated admin pages to use contains_permission, this means the admin interface will now show the change list link to a user even if they only have change row level permissions on one of the objects. Right now, it does list all the objects and does not filter out those that the user does not have permissions on.

git-svn-id: http://code.djangoproject.com/svn/django/branches/per-object-permissions@3625 bcc190cf-cafb-0310-a4f2-bffc1f526a37

2 files changed, 23 insertions, 13 deletions

diff --git a/django/contrib/admin/templatetags/adminapplist.py b/django/contrib/admin/templatetags/adminapplist.py
index 5a8e288e27..4eeef1b0cf 100644
--- a/django/contrib/admin/templatetags/adminapplist.py
+++ b/django/contrib/admin/templatetags/adminapplist.py
@@ -27,11 +27,17 @@ class AdminApplistNode(template.Node):
                 for m in app_models:
                     if m._meta.admin:
                         if not m._meta.admin.hidden:
+                            #perms = {
+                                #'add': user.has_perm("%s.%s" % (app_label, m._meta.get_add_permission())),
+                                #'change': user.has_perm("%s.%s" % (app_label, m._meta.get_change_permission())),
+                                #'delete': user.has_perm("%s.%s" % (app_label, m._meta.get_delete_permission())),
+                            #}
+    
                             perms = {
-                                'add': user.has_perm("%s.%s" % (app_label, m._meta.get_add_permission())),
-                                'change': user.has_perm("%s.%s" % (app_label, m._meta.get_change_permission())),
-                                'delete': user.has_perm("%s.%s" % (app_label, m._meta.get_delete_permission())),
-                            }
+                                'add': user.contains_permission("%s.%s" % (app_label, m._meta.get_add_permission()), m),
+                                'change': user.contains_permission("%s.%s" % (app_label, m._meta.get_change_permission()), m),
+                                'delete': user.contains_permission("%s.%s" % (app_label, m._meta.get_delete_permission()), m),
+                            }    
     
                             # Check whether user has any perm for this module.
                             # If so, add the module to the model_list.
diff --git a/django/contrib/admin/views/main.py b/django/contrib/admin/views/main.py
index 4c76502a67..9cc2a697f9 100644
--- a/django/contrib/admin/views/main.py
+++ b/django/contrib/admin/views/main.py
@@ -311,16 +311,18 @@ def change_stage(request, app_label, model_name, object_id):
         raise Http404, "App %r, model %r, not found" % (app_label, model_name)
     opts = model._meta
 
-    if not request.user.has_perm(app_label + '.' + opts.get_change_permission()):
+    try:
+        manipulator = model.ChangeManipulator(object_id)
+    except ObjectDoesNotExist:
+        raise Http404
+
+    if not request.user.has_perm(app_label + '.' + opts.get_change_permission(), object=manipulator.original_object):
         raise PermissionDenied
 
     if request.POST and request.POST.has_key("_saveasnew"):
         return add_stage(request, app_label, model_name, form_url='../../add/')
 
-    try:
-        manipulator = model.ChangeManipulator(object_id)
-    except ObjectDoesNotExist:
-        raise Http404
+
 
     if request.POST:
         new_data = request.POST.copy()
@@ -418,7 +420,7 @@ def _get_deleted_objects(deleted_objects, perms_needed, user, obj, opts, current
     if current_depth > 16:
         return # Avoid recursing too deep.
     opts_seen = []
-    for related in opts.get_all_related_objects():
+    for related in opts.related_objects():
         if related.opts in opts_seen:
             continue
         opts_seen.append(related.opts)
@@ -501,10 +503,12 @@ def delete_stage(request, app_label, model_name, object_id):
     if model is None:
         raise Http404, "App %r, model %r, not found" % (app_label, model_name)
     opts = model._meta
-    if not request.user.has_perm(app_label + '.' + opts.get_delete_permission()):
-        raise PermissionDenied
+
     obj = get_object_or_404(model, pk=object_id)
 
+    if not request.user.has_perm(app_label + '.' + opts.get_delete_permission(), object=obj):
+        raise PermissionDenied
+
     # Populate deleted_objects, a data structure of all related objects that
     # will also be deleted.
     deleted_objects = ['%s: <a href="../../%s/">%s</a>' % (capfirst(opts.verbose_name), object_id, escape(str(obj))), []]
@@ -741,7 +745,7 @@ def change_list(request, app_label, model_name):
     model = models.get_model(app_label, model_name)
     if model is None:
         raise Http404, "App %r, model %r, not found" % (app_label, model_name)
-    if not request.user.has_perm(app_label + '.' + model._meta.get_change_permission()):
+    if not request.user.contains_permission(app_label + '.' + model._meta.get_change_permission(), model):
         raise PermissionDenied
     try:
         cl = ChangeList(request, model)