From c7995c5241ffc8acaa647246c0dfe68bd4cd1f40 Mon Sep 17 00:00:00 2001
From: Lance Edgar <lance@edbob.org>
Date: Fri, 7 Jun 2013 08:52:57 -0700
Subject: [PATCH] Fixed bugs where edit links were appearing for unprivileged
 users.

---
 rattail/pyramid/templates/customergroups/crud.mako | 2 +-
 rattail/pyramid/templates/customers/crud.mako      | 2 +-
 rattail/pyramid/templates/products/crud.mako       | 2 +-
 rattail/pyramid/templates/stores/crud.mako         | 2 +-
 rattail/pyramid/views/crud.py                      | 8 ++++++--
 rattail/pyramid/views/customergroups.py            | 3 ++-
 rattail/pyramid/views/stores.py                    | 3 ++-
 7 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/rattail/pyramid/templates/customergroups/crud.mako b/rattail/pyramid/templates/customergroups/crud.mako
index f616ce8b..5e534665 100644
--- a/rattail/pyramid/templates/customergroups/crud.mako
+++ b/rattail/pyramid/templates/customergroups/crud.mako
@@ -2,7 +2,7 @@
 
 <%def name="context_menu_items()">
   <li>${h.link_to("Back to Customer Groups", url('customer_groups'))}</li>
-  % if form.readonly:
+  % if form.readonly and request.has_perm('customer_groups.update'):
       <li>${h.link_to("Edit this Customer Group", url('customer_group.update', uuid=form.fieldset.model.uuid))}</li>
   % elif form.updating:
       <li>${h.link_to("View this Customer Group", url('customer_group.read', uuid=form.fieldset.model.uuid))}</li>
diff --git a/rattail/pyramid/templates/customers/crud.mako b/rattail/pyramid/templates/customers/crud.mako
index 98d13572..c385719c 100644
--- a/rattail/pyramid/templates/customers/crud.mako
+++ b/rattail/pyramid/templates/customers/crud.mako
@@ -2,7 +2,7 @@
 
 <%def name="context_menu_items()">
   <li>${h.link_to("Back to Customers", url('customers'))}</li>
-  % if form.readonly:
+  % if form.readonly and request.has_perm('customers.update'):
       <li>${h.link_to("Edit this Customer", url('customer.update', uuid=form.fieldset.model.uuid))}</li>
   % elif form.updating:
       <li>${h.link_to("View this Customer", url('customer.read', uuid=form.fieldset.model.uuid))}</li>
diff --git a/rattail/pyramid/templates/products/crud.mako b/rattail/pyramid/templates/products/crud.mako
index ba53dea8..46d1e9c0 100644
--- a/rattail/pyramid/templates/products/crud.mako
+++ b/rattail/pyramid/templates/products/crud.mako
@@ -2,7 +2,7 @@
 
 <%def name="context_menu_items()">
   <li>${h.link_to("Back to Products", url('products'))}</li>
-  % if form.readonly:
+  % if form.readonly and request.has_perm('products.update'):
       <li>${h.link_to("Edit this Product", url('product.update', uuid=form.fieldset.model.uuid))}</li>
   % elif form.updating:
       <li>${h.link_to("View this Product", url('product.read', uuid=form.fieldset.model.uuid))}</li>
diff --git a/rattail/pyramid/templates/stores/crud.mako b/rattail/pyramid/templates/stores/crud.mako
index 9f885fbc..dd2ae4cd 100644
--- a/rattail/pyramid/templates/stores/crud.mako
+++ b/rattail/pyramid/templates/stores/crud.mako
@@ -2,7 +2,7 @@
 
 <%def name="context_menu_items()">
   <li>${h.link_to("Back to Stores", url('stores'))}</li>
-  % if form.readonly:
+  % if form.readonly and request.has_perm('stores.update'):
       <li>${h.link_to("Edit this Store", url('store.update', uuid=form.fieldset.model.uuid))}</li>
   % elif form.updating:
       <li>${h.link_to("View this Store", url('store.read', uuid=form.fieldset.model.uuid))}</li>
diff --git a/rattail/pyramid/views/crud.py b/rattail/pyramid/views/crud.py
index db02a00e..ce0e0eb6 100644
--- a/rattail/pyramid/views/crud.py
+++ b/rattail/pyramid/views/crud.py
@@ -82,8 +82,12 @@ class CrudView(View):
         return self.make_fieldset(model)
 
     def make_form(self, model, **kwargs):
-        self.creating = model is self.mapped_class
-        self.updating = not self.creating
+        if self.readonly:
+            self.creating = False
+            self.updating = False
+        else:
+            self.creating = model is self.mapped_class
+            self.updating = not self.creating
 
         fieldset = self.fieldset(model)
         kwargs.setdefault('pretty_name', self.pretty_name)
diff --git a/rattail/pyramid/views/customergroups.py b/rattail/pyramid/views/customergroups.py
index c3832410..d3cdcd75 100644
--- a/rattail/pyramid/views/customergroups.py
+++ b/rattail/pyramid/views/customergroups.py
@@ -26,9 +26,10 @@
 ``rattail.pyramid.views.customergroups`` -- CustomerGroup Views
 """
 
-from edbob.pyramid.views import SearchableAlchemyGridView, CrudView
+from edbob.pyramid.views import SearchableAlchemyGridView
 
 import rattail
+from rattail.pyramid.views import CrudView
 
 
 class CustomerGroupsGrid(SearchableAlchemyGridView):
diff --git a/rattail/pyramid/views/stores.py b/rattail/pyramid/views/stores.py
index 197c055f..9e16dfe2 100644
--- a/rattail/pyramid/views/stores.py
+++ b/rattail/pyramid/views/stores.py
@@ -28,9 +28,10 @@
 
 from sqlalchemy import and_
 
-from edbob.pyramid.views import SearchableAlchemyGridView, CrudView
+from edbob.pyramid.views import SearchableAlchemyGridView
 
 import rattail
+from rattail.pyramid.views import CrudView
 
 
 class StoresGrid(SearchableAlchemyGridView):