From c461eb29b53499c72bfeea1922883b8f40be1076 Mon Sep 17 00:00:00 2001
From: Dominik George <dominik.george@teckids.org>
Date: Thu, 17 Mar 2022 21:24:18 +0100
Subject: [PATCH] Move action form permission check to clean_ method
---
aleksis/core/forms.py | 26 +++++++++++++++++++++-----
1 file changed, 21 insertions(+), 5 deletions(-)
diff --git a/aleksis/core/forms.py b/aleksis/core/forms.py
index 2299c3fc5..c620c1186 100644
--- a/aleksis/core/forms.py
+++ b/aleksis/core/forms.py
@@ -722,6 +722,26 @@ class ActionForm(forms.Form):
self.fields["selected_objects"].queryset = self.queryset
self.fields["action"].choices = self._get_action_choices()
+ def clean_action(self):
+ action = self._get_actions_dict().get(self.cleaned_data["action"], None)
+ if not action:
+ raise ValidationError(_("The selected action does not exist."))
+ return action
+
+ def clean_selected_objects(self):
+ action = self.cleaned_data["action"]
+ if hasattr(action, "permission"):
+ selected_objects = queryset_rules_filter(
+ self.request, self.cleaned_data["selected_objects"], action.permission
+ )
+ if selected_objects.count() < self.cleaned_data["selected_objects"].count():
+ raise ValidationError(
+ _("You do not have permission to run {} on all selected objects.").format(
+ getattr(value, "short_description", value.__name__)
+ )
+ )
+ return self.cleaned_data["selected_objects"]
+
def execute(self) -> bool:
"""Execute the selected action on all selected objects.
@@ -729,11 +749,7 @@ class ActionForm(forms.Form):
"""
if self.is_valid():
data = self.cleaned_data["selected_objects"]
- action = self._get_actions_dict()[self.cleaned_data["action"]]
-
- if hasattr(action, "permission"):
- data = queryset_rules_filter(self.request, data, action.permission)
-
+ action = self.cleaned_data["action"]
action(None, self.request, data)
return True
--
GitLab