o >hP@sVddlmZddlmZddlmZddlmZmZdZ ddZ dd Z dd d Z d S))get_user_model)HttpResponseForbiddenwraps)MenuUserPermissions)viewaddeditdeleteexportcCstjdj|dd}g}i}|D]0}|jjpd}|s qt|j t|j t|j t|j t|j d||<|j rA||q|jrmtjjddD] }|jpRd}|rl||||vrldddddd||<qLttt|}||fS)a  Called on login (or whenever you want to refresh). Creates two session objects: - request.session['assigned_menu'] -> list of allowed menu_action codes - request.session['menu_permissions'] -> dict keyed by menu_action with action booleans ref_menuT)ref_userref_menu__menu_statuscan_viewcan_addcan_edit can_delete can_export) menu_status)robjectsselect_relatedfilterr menu_actionupperstripboolrrrrrappend is_superuserrsortedlistset)userperms_qs assigned_menumenu_permissionsupcodemr+O/var/www/html/myvaluetrips/my_value_trip_new/my_value_trip/users/permissions.pybuild_session_permissions s>     r-c Csdddddd}|jjs|S|pd}|jdi}|jjr(dd|DS||vrd|||dr7dnd||d rAdnd||d rKdnd||d rUdnd||d r_dndd|S) z Return dict with can_* flags for a given menu code (like 'USER'). Matches your old behavior (only can_view, can_add, etc.). rrrr'cSsi|]}|dqS)r+).0kr+r+r, Rsz$get_module_perms..rr.rrrr)r$is_authenticatedrrsessiongetr update)request menu_codepermsr'r+r+r,get_module_perms=s*r9rcstvsJfdd}|S)z Decorator for view-level guard (like your CI checks): @require_menu_perm('USER', 'view') @require_menu_perm('USER', 'add') cstfdd}|S)Ncs:t|}|ddstdS|g|Ri|S)Ncan_rzUnauthorized Access)r9r4r)r6argskwargsr8)actionr7 view_funcr+r,_wrappeds z6require_menu_perm..decorator.._wrappedr)r>r?r=r7)r>r, decoratorsz$require_menu_perm..decorator) MENU_ACTIONS)r7r=rAr+r@r,require_menu_permys rCN)r) django.contrib.authr django.httpr functoolsr users.modelsrrrBr-r9rCr+r+r+r,s   2<