From bdc57abd5a54384ed98e3d887d3c59c9249b8e3e Mon Sep 17 00:00:00 2001
From: Lance Edgar <lance@edbob.org>
Date: Tue, 20 Aug 2024 17:02:38 -0500
Subject: [PATCH] fix: show CRUD buttons in header only if relevant and user
 has access

---
 src/wuttaweb/templates/base.mako | 68 ++++++++++++++++++--------------
 1 file changed, 38 insertions(+), 30 deletions(-)

diff --git a/src/wuttaweb/templates/base.mako b/src/wuttaweb/templates/base.mako
index ce5e4ca..ffe903c 100644
--- a/src/wuttaweb/templates/base.mako
+++ b/src/wuttaweb/templates/base.mako
@@ -482,36 +482,44 @@
 <%def name="render_crud_header_buttons()">
   % if master:
       % if master.viewing:
-         <wutta-button once
-                       tag="a" href="${master.get_action_url('edit', instance)}"
-                       icon-left="edit"
-                       label="Edit This" />
-         % if instance_deletable:
-             <wutta-button once type="is-danger"
-                           tag="a" href="${master.get_action_url('delete', instance)}"
-                           icon-left="trash"
-                           label="Delete This" />
-         % endif
-     % elif master.editing:
-         <wutta-button once
-                       tag="a" href="${master.get_action_url('view', instance)}"
-                       icon-left="eye"
-                       label="View This" />
-         % if instance_deletable:
-             <wutta-button once type="is-danger"
-                           tag="a" href="${master.get_action_url('delete', instance)}"
-                           icon-left="trash"
-                           label="Delete This" />
-         % endif
-     % elif master.deleting:
-         <wutta-button once
-                       tag="a" href="${master.get_action_url('view', instance)}"
-                       icon-left="eye"
-                       label="View This" />
-         <wutta-button once
-                       tag="a" href="${master.get_action_url('edit', instance)}"
-                       icon-left="edit"
-                       label="Edit This" />
+          % if instance_editable and master.has_perm('edit'):
+              <wutta-button once
+                            tag="a" href="${master.get_action_url('edit', instance)}"
+                            icon-left="edit"
+                            label="Edit This" />
+          % endif
+          % if instance_deletable and master.has_perm('delete'):
+              <wutta-button once type="is-danger"
+                            tag="a" href="${master.get_action_url('delete', instance)}"
+                            icon-left="trash"
+                            label="Delete This" />
+          % endif
+      % elif master.editing:
+          % if instance_viewable and master.has_perm('view'):
+              <wutta-button once
+                            tag="a" href="${master.get_action_url('view', instance)}"
+                            icon-left="eye"
+                            label="View This" />
+          % endif
+          % if instance_deletable and master.has_perm('delete'):
+              <wutta-button once type="is-danger"
+                            tag="a" href="${master.get_action_url('delete', instance)}"
+                            icon-left="trash"
+                            label="Delete This" />
+          % endif
+      % elif master.deleting:
+          % if instance_viewable and master.has_perm('view'):
+              <wutta-button once
+                            tag="a" href="${master.get_action_url('view', instance)}"
+                            icon-left="eye"
+                            label="View This" />
+          % endif
+          % if instance_editable and master.has_perm('edit'):
+              <wutta-button once
+                            tag="a" href="${master.get_action_url('edit', instance)}"
+                            icon-left="edit"
+                            label="Edit This" />
+          % endif
       % endif
   % endif
 </%def>