Add permissions check to model lookup view

jet/forms.py

@@ -1,5 +1,7 @@
 import json
 from django import forms
+from django.contrib.auth.models import Permission
+from django.contrib.contenttypes.models import ContentType
 from django.core.exceptions import ValidationError
 from django.db.models import Q
 import operator
@@ -106,7 +108,7 @@ class ModelLookupForm(forms.Form):
     def clean(self):
         data = super(ModelLookupForm, self).clean()
 
-        if not self.request.user.is_authenticated():
+        if not self.request.user.is_authenticated() or not self.request.user.is_staff:
             raise ValidationError('error')
 
         try:
@@ -114,6 +116,12 @@ class ModelLookupForm(forms.Form):
         except:
             raise ValidationError('error')
 
+        content_type = ContentType.objects.get_for_model(self.model_cls)
+        permission = Permission.objects.filter(content_type=content_type, codename__startswith='change_').first()
+
+        if not self.request.user.has_perm(permission.codename):
+            raise ValidationError('error')
+
         return data
 
     def lookup(self):