Merge branch '348-permission-bugs-with-editable-list-on-person-statistics-page' into 'master'

Resolve "Permission bugs with editable list on person statistics page" Closes #348 See merge request !460

Merge branch '348-permission-bugs-with-editable-list-on-person-statistics-page' into 'master'
6c9b518a · Jonathan Weth · 678505d4 · ebdb5250 · 6c9b518a · 6c9b518a
Commit 6c9b518a authored 2 months ago by Jonathan Weth
--- a/aleksis/apps/alsijil/frontend/components/coursebook/statistics/StatisticsForPersonPage.vue
+++ b/aleksis/apps/alsijil/frontend/components/coursebook/statistics/StatisticsForPersonPage.vue
@@ -87,8 +87,7 @@
                      <v-col cols="12" md="6" class="pa-0 d-flex">
                        <v-list-item-avatar
                          v-if="
-                            mode === MODE.PARTICIPATIONS &&
-                            !$vuetify.breakpoint.mobile
+                            mode === MODE.PARTICIPATIONS && showCheckbox(item)
                          "
                        >
                          <v-item v-slot="{ active, toggle }" :value="item.id">
@@ -379,6 +378,9 @@ export default {
      // Only ExtraMarks can be deleted
      return item.canDelete && item.extraMark;
    },
+    showCheckbox(item) {
+      return this.showEdit(item);
+    },
  },
 };
 </script>
--- a/aleksis/apps/alsijil/rules.py
+++ b/aleksis/apps/alsijil/rules.py
@@ -13,11 +13,13 @@ from aleksis.core.util.predicates import (
 from .util.predicates import (
    can_edit_documentation,
    can_edit_participation_status,
+    can_edit_participation_status_for_documentation,
    can_edit_personal_note,
    can_register_absence_for_at_least_one_group,
    can_register_absence_for_person,
    can_view_documentation,
    can_view_participation_status,
+    can_view_participation_status_for_documentation,
    can_view_personal_note,
    can_view_statistics_for_person,
    has_person_group_object_perm,
@@ -196,7 +198,8 @@ add_perm("alsijil.edit_documentation_rule", edit_documentation_predicate)
 add_perm("alsijil.delete_documentation_rule", edit_documentation_predicate)

 view_participation_status_for_documentation_predicate = has_person & (
-    has_global_perm("alsijil.change_participationstatus") | can_view_participation_status
+    has_global_perm("alsijil.change_participationstatus")
+    | can_view_participation_status_for_documentation
 )
 add_perm(
    "alsijil.view_participation_status_for_documentation_rule",
@@ -205,7 +208,10 @@ add_perm(

 edit_participation_status_for_documentation_with_time_range_predicate = (
    has_person
-    & (has_global_perm("alsijil.change_participationstatus") | can_edit_participation_status)
+    & (
+        has_global_perm("alsijil.change_participationstatus")
+        | can_edit_participation_status_for_documentation
+    )
    & is_in_allowed_time_range_for_participation_status
 )
 add_perm(
@@ -214,13 +220,30 @@ add_perm(
 )

 edit_participation_status_for_documentation_predicate = has_person & (
-    has_global_perm("alsijil.change_participationstatus") | can_edit_participation_status
+    has_global_perm("alsijil.change_participationstatus")
+    | can_edit_participation_status_for_documentation
 )
 add_perm(
    "alsijil.edit_participation_status_for_documentation_rule",
    edit_participation_status_for_documentation_predicate,
 )

+view_participation_status_predicate = has_person & (
+    has_global_perm("alsijil.view_participationstatus") | can_view_participation_status
+)
+add_perm(
+    "alsijil.view_participation_status_rule",
+    view_participation_status_predicate,
+)
+
+edit_participation_status_predicate = has_person & (
+    has_global_perm("alsijil.change_participationstatus") | can_edit_participation_status
+)
+add_perm(
+    "alsijil.edit_participation_status_rule",
+    edit_participation_status_predicate,
+)
+
 view_personal_note_predicate = has_person & (
    has_global_perm("alsijil.change_newpersonalnote") | can_view_personal_note
 )

--- a/aleksis/apps/alsijil/schema/documentation.py
+++ b/aleksis/apps/alsijil/schema/documentation.py
@@ -7,12 +7,10 @@ from reversion import create_revision, set_comment, set_user

 from aleksis.apps.alsijil.util.predicates import (
    can_edit_documentation,
+    can_edit_participation_status_for_documentation,
    is_in_allowed_time_range,
    is_in_allowed_time_range_for_participation_status,
 )
-from aleksis.apps.alsijil.util.predicates import (
-    can_edit_participation_status as can_edit_participation_status_predicate,
-)
 from aleksis.apps.chronos.schema import LessonEventType
 from aleksis.apps.cursus.models import Subject
 from aleksis.apps.cursus.schema import CourseType, SubjectType
@@ -98,7 +96,7 @@ class DocumentationType(PermissionsTypeMixin, DjangoFilterMixin, DjangoObjectTyp
    @staticmethod
    def resolve_can_edit_participation_status(root: Documentation, info, **kwargs):
        """Shows whether the user can edit all participation statuses of the documentation"""
-        return can_edit_participation_status_predicate(info.context.user, root)
+        return can_edit_participation_status_for_documentation(info.context.user, root)

    @staticmethod
    def resolve_can_view_participation_status(root: Documentation, info, **kwargs):

--- a/aleksis/apps/alsijil/schema/participation_status.py
+++ b/aleksis/apps/alsijil/schema/participation_status.py
@@ -68,6 +68,14 @@ class ParticipationStatusType(
            note__isnull=False,
        ).exclude(note="")

+    @staticmethod
+    def resolve_can_edit(root: ParticipationStatus, info, **kwargs):
+        return info.context.user.has_perm("alsijil.edit_participation_status_rule", root)
+
+    @staticmethod
+    def resolve_can_delete(root: ParticipationStatus, info, **kwargs):
+        return info.context.user.has_perm("alsijil.edit_participation_status_rule", root)
+

 class ParticipationStatusBatchPatchMutation(BaseBatchPatchMutation):
    class Meta:

--- a/aleksis/apps/alsijil/schema/personal_note.py
+++ b/aleksis/apps/alsijil/schema/personal_note.py
@@ -26,6 +26,14 @@ class PersonalNoteType(
            "documentation",
        )

+    @staticmethod
+    def resolve_can_edit(root: NewPersonalNote, info, **kwargs):
+        return info.context.user.has_perm("alsijil.edit_personal_note_rule", root)
+
+    @staticmethod
+    def resolve_can_delete(root: NewPersonalNote, info, **kwargs):
+        return info.context.user.has_perm("alsijil.edit_personal_note_rule", root)
+

 class PersonalNoteBatchCreateMutation(BaseBatchCreateMutation):
    class Meta:

--- a/aleksis/apps/alsijil/util/predicates.py
+++ b/aleksis/apps/alsijil/util/predicates.py
@@ -12,7 +12,7 @@ from aleksis.core.models import Group, Person
 from aleksis.core.util.core_helpers import get_site_preferences
 from aleksis.core.util.predicates import check_object_permission

-from ..models import Documentation, NewPersonalNote
+from ..models import Documentation, NewPersonalNote, ParticipationStatus


 @predicate
@@ -277,7 +277,7 @@ def can_edit_documentation(user: User, obj: Documentation):


 @predicate
-def can_view_participation_status(user: User, obj: Documentation):
+def can_view_participation_status_for_documentation(user: User, obj: Documentation):
    """Predicate which checks if the user is allowed to view participation for a documentation."""
    if obj:
        if obj.amends and obj.amends.cancelled:
@@ -294,7 +294,7 @@ def can_view_participation_status(user: User, obj: Documentation):


 @predicate
-def can_edit_participation_status(user: User, obj: Documentation):
+def can_edit_participation_status_for_documentation(user: User, obj: Documentation):
    """Predicate which checks if the user is allowed to edit participation for a documentation."""
    if obj:
        if obj.amends and obj.amends.cancelled:
@@ -308,6 +308,22 @@ def can_edit_participation_status(user: User, obj: Documentation):
    return False


+@predicate
+def can_view_participation_status(user: User, obj: ParticipationStatus):
+    """Predicate which checks if the user is allowed to view participation."""
+    if obj.related_documentation:
+        return can_view_participation_status_for_documentation(user, obj.related_documentation)
+    return False
+
+
+@predicate
+def can_edit_participation_status(user: User, obj: ParticipationStatus):
+    """Predicate which checks if the user is allowed to edit participation."""
+    if obj.related_documentation:
+        return can_edit_participation_status_for_documentation(user, obj.related_documentation)
+    return False
+
+
 @predicate
 def is_in_allowed_time_range(user: User, obj: Union[Documentation, NewPersonalNote]):
    """Predicate for documentations or new personal notes with linked documentation.