diff --git a/flask_appbuilder/baseviews.py b/flask_appbuilder/baseviews.py index b273f2d14e..0ef328c912 100644 --- a/flask_appbuilder/baseviews.py +++ b/flask_appbuilder/baseviews.py @@ -679,6 +679,8 @@ class MyView(ModelView): """ _related_views = None """ internal list with ref to instantiated view classes """ + allowed_related_views = None + """ Holds related views where the user has 'can_list' permission. """ list_title = "" """ List Title, if not configured the default is 'List ' with pretty model name """ show_title = "" @@ -1032,8 +1034,15 @@ def _get_related_views_widgets( Model View widgets """ widgets = widgets or {} + self.allowed_related_views = [] widgets["related_views"] = [] for view in self._related_views: + # Skip related views if the current user does not have 'can_list' permission + if not self.appbuilder.sm.has_access("can_list", view.__class__.__name__): + continue + + self.allowed_related_views.append(view) + if orders.get(view.__class__.__name__): order_column, order_direction = orders.get(view.__class__.__name__) else: diff --git a/flask_appbuilder/templates/appbuilder/general/model/edit.html b/flask_appbuilder/templates/appbuilder/general/model/edit.html index e0f04fc3f0..3a4dad749f 100644 --- a/flask_appbuilder/templates/appbuilder/general/model/edit.html +++ b/flask_appbuilder/templates/appbuilder/general/model/edit.html @@ -13,9 +13,12 @@
+ {% set widget_related_views = widgets.get('related_views') %} {% for view in related_views %}
- {{ widgets.get('related_views')[loop.index - 1]()|safe }} + {% if loop.index0 < widget_related_views|length %} + {{ widget_related_views[loop.index0](pk=pk)|safe }} + {% endif %}
{% endfor %} {% endif %} diff --git a/flask_appbuilder/templates/appbuilder/general/model/edit_cascade.html b/flask_appbuilder/templates/appbuilder/general/model/edit_cascade.html index 7b7e3fec63..cb32d793c1 100644 --- a/flask_appbuilder/templates/appbuilder/general/model/edit_cascade.html +++ b/flask_appbuilder/templates/appbuilder/general/model/edit_cascade.html @@ -11,9 +11,12 @@ {% block related_views %} {% if related_views is defined %} + {% set widget_related_views = widgets.get('related_views') %} {% for view in related_views %} {% call lib.accordion_tag(view.__class__.__name__,view.title, False) %} - {{ widgets.get('related_views')[loop.index - 1](pk = pk)|safe }} + {% if loop.index0 < widget_related_views|length %} + {{ widget_related_views[loop.index0](pk=pk)|safe }} + {% endif %} {% endcall %} {% endfor %} {% endif %} diff --git a/flask_appbuilder/templates/appbuilder/general/model/left_master_detail.html b/flask_appbuilder/templates/appbuilder/general/model/left_master_detail.html index c26eceb7aa..772e2b9bbc 100644 --- a/flask_appbuilder/templates/appbuilder/general/model/left_master_detail.html +++ b/flask_appbuilder/templates/appbuilder/general/model/left_master_detail.html @@ -8,11 +8,14 @@ {{ widgets.get('list')()|safe }} {{ lib.panel_end() }}
+{% set widget_related_views = widgets.get('related_views') %} {% for view in related_views %}
{{ lib.panel_begin(view.list_title) }}
- {{ widgets.get('related_views')[loop.index - 1](pk = pk)|safe }} + {% if loop.index0 < widget_related_views|length %} + {{ widget_related_views[loop.index0](pk=pk)|safe }} + {% endif %}
{{ lib.panel_end() }}
diff --git a/flask_appbuilder/templates/appbuilder/general/model/show.html b/flask_appbuilder/templates/appbuilder/general/model/show.html index 8c2510ca30..3db43f47da 100644 --- a/flask_appbuilder/templates/appbuilder/general/model/show.html +++ b/flask_appbuilder/templates/appbuilder/general/model/show.html @@ -8,16 +8,22 @@
+ {% set widget_related_views = widgets.get('related_views') %} {% for view in related_views %}
- {{ widgets.get('related_views')[loop.index - 1](pk = pk)|safe }} + {% if loop.index0 < widget_related_views|length %} + {{ widget_related_views[loop.index0](pk=pk)|safe }} + {% endif %}
{% endfor %} {% endif %} diff --git a/flask_appbuilder/templates/appbuilder/general/model/show_cascade.html b/flask_appbuilder/templates/appbuilder/general/model/show_cascade.html index 087e7fe2ce..9a5e967110 100644 --- a/flask_appbuilder/templates/appbuilder/general/model/show_cascade.html +++ b/flask_appbuilder/templates/appbuilder/general/model/show_cascade.html @@ -10,9 +10,12 @@ {% block related_views %} {% if related_views is defined %} + {% set widget_related_views = widgets.get('related_views') %} {% for view in related_views %} {% call lib.accordion_tag(view.__class__.__name__,view.title, False) %} - {{ widgets.get('related_views')[loop.index - 1](pk = pk)|safe }} + {% if loop.index0 < widget_related_views|length %} + {{ widget_related_views[loop.index0](pk=pk)|safe }} + {% endif %} {% endcall %} {% endfor %} {% endif %} diff --git a/flask_appbuilder/views.py b/flask_appbuilder/views.py index 67cdf109fd..aa4480cc0b 100644 --- a/flask_appbuilder/views.py +++ b/flask_appbuilder/views.py @@ -571,7 +571,7 @@ def show(self, pk): pk=pk, title=self.show_title, widgets=widgets, - related_views=self._related_views, + related_views=self.allowed_related_views, ) """ @@ -609,7 +609,7 @@ def edit(self, pk): self.edit_template, title=self.edit_title, widgets=widgets, - related_views=self._related_views, + related_views=self.allowed_related_views, ) """ @@ -731,7 +731,7 @@ def list(self, pk=None): widgets = self._get_related_views_widgets( item, orders=orders, pages=pages, page_sizes=page_sizes, widgets=widgets ) - related_views = self._related_views + related_views = self.allowed_related_views else: related_views = []