Merge branch '348-permission-bugs-with-editable-list-on-person-statistics-page' into 'master'

Resolve "Permission bugs with editable list on person statistics page"

Closes #348

See merge request !460

aleksis/apps/alsijil/frontend/components/coursebook/statistics/StatisticsForPersonPage.vue

@@ -87,8 +87,7 @@
                       <v-col cols="12" md="6" class="pa-0 d-flex">
                         <v-list-item-avatar
                           v-if="
-                            mode === MODE.PARTICIPATIONS &&
-                            !$vuetify.breakpoint.mobile
+                            mode === MODE.PARTICIPATIONS && showCheckbox(item)
                           "
                         >
                           <v-item v-slot="{ active, toggle }" :value="item.id">
@@ -379,6 +378,9 @@ export default {
       // Only ExtraMarks can be deleted
       return item.canDelete && item.extraMark;
     },
+    showCheckbox(item) {
+      return this.showEdit(item);
+    },
   },
 };
 </script>

aleksis/apps/alsijil/rules.py

@@ -13,11 +13,13 @@ from aleksis.core.util.predicates import (
 from .util.predicates import (
     can_edit_documentation,
     can_edit_participation_status,
+    can_edit_participation_status_for_documentation,
     can_edit_personal_note,
     can_register_absence_for_at_least_one_group,
     can_register_absence_for_person,
     can_view_documentation,
     can_view_participation_status,
+    can_view_participation_status_for_documentation,
     can_view_personal_note,
     can_view_statistics_for_person,
     has_person_group_object_perm,
@@ -196,7 +198,8 @@ add_perm("alsijil.edit_documentation_rule", edit_documentation_predicate)
 add_perm("alsijil.delete_documentation_rule", edit_documentation_predicate)
 
 view_participation_status_for_documentation_predicate = has_person & (
-    has_global_perm("alsijil.change_participationstatus") | can_view_participation_status
+    has_global_perm("alsijil.change_participationstatus")
+    | can_view_participation_status_for_documentation
 )
 add_perm(
     "alsijil.view_participation_status_for_documentation_rule",
@@ -205,7 +208,10 @@ add_perm(
 
 edit_participation_status_for_documentation_with_time_range_predicate = (
     has_person
-    & (has_global_perm("alsijil.change_participationstatus") | can_edit_participation_status)
+    & (
+        has_global_perm("alsijil.change_participationstatus")
+        | can_edit_participation_status_for_documentation
+    )
     & is_in_allowed_time_range_for_participation_status
 )
 add_perm(
@@ -214,13 +220,30 @@ add_perm(
 )
 
 edit_participation_status_for_documentation_predicate = has_person & (
-    has_global_perm("alsijil.change_participationstatus") | can_edit_participation_status
+    has_global_perm("alsijil.change_participationstatus")
+    | can_edit_participation_status_for_documentation
 )
 add_perm(
     "alsijil.edit_participation_status_for_documentation_rule",
     edit_participation_status_for_documentation_predicate,
 )
 
+view_participation_status_predicate = has_person & (
+    has_global_perm("alsijil.view_participationstatus") | can_view_participation_status
+)
+add_perm(
+    "alsijil.view_participation_status_rule",
+    view_participation_status_predicate,
+)
+
+edit_participation_status_predicate = has_person & (
+    has_global_perm("alsijil.change_participationstatus") | can_edit_participation_status
+)
+add_perm(
+    "alsijil.edit_participation_status_rule",
+    edit_participation_status_predicate,
+)
+
 view_personal_note_predicate = has_person & (
     has_global_perm("alsijil.change_newpersonalnote") | can_view_personal_note
 )

aleksis/apps/alsijil/schema/documentation.py

@@ -7,12 +7,10 @@ from reversion import create_revision, set_comment, set_user
 
 from aleksis.apps.alsijil.util.predicates import (
     can_edit_documentation,
+    can_edit_participation_status_for_documentation,
     is_in_allowed_time_range,
     is_in_allowed_time_range_for_participation_status,
 )
-from aleksis.apps.alsijil.util.predicates import (
-    can_edit_participation_status as can_edit_participation_status_predicate,
-)
 from aleksis.apps.chronos.schema import LessonEventType
 from aleksis.apps.cursus.models import Subject
 from aleksis.apps.cursus.schema import CourseType, SubjectType
@@ -98,7 +96,7 @@ class DocumentationType(PermissionsTypeMixin, DjangoFilterMixin, DjangoObjectTyp
     @staticmethod
     def resolve_can_edit_participation_status(root: Documentation, info, **kwargs):
         """Shows whether the user can edit all participation statuses of the documentation"""
-        return can_edit_participation_status_predicate(info.context.user, root)
+        return can_edit_participation_status_for_documentation(info.context.user, root)
 
     @staticmethod
     def resolve_can_view_participation_status(root: Documentation, info, **kwargs):

aleksis/apps/alsijil/schema/participation_status.py

@@ -68,6 +68,14 @@ class ParticipationStatusType(
             note__isnull=False,
         ).exclude(note="")
 
+    @staticmethod
+    def resolve_can_edit(root: ParticipationStatus, info, **kwargs):
+        return info.context.user.has_perm("alsijil.edit_participation_status_rule", root)
+
+    @staticmethod
+    def resolve_can_delete(root: ParticipationStatus, info, **kwargs):
+        return info.context.user.has_perm("alsijil.edit_participation_status_rule", root)
+
 
 class ParticipationStatusBatchPatchMutation(BaseBatchPatchMutation):
     class Meta:

aleksis/apps/alsijil/schema/personal_note.py

@@ -26,6 +26,14 @@ class PersonalNoteType(
             "documentation",
         )
 
+    @staticmethod
+    def resolve_can_edit(root: NewPersonalNote, info, **kwargs):
+        return info.context.user.has_perm("alsijil.edit_personal_note_rule", root)
+
+    @staticmethod
+    def resolve_can_delete(root: NewPersonalNote, info, **kwargs):
+        return info.context.user.has_perm("alsijil.edit_personal_note_rule", root)
+
 
 class PersonalNoteBatchCreateMutation(BaseBatchCreateMutation):
     class Meta:

aleksis/apps/alsijil/util/predicates.py

@@ -12,7 +12,7 @@ from aleksis.core.models import Group, Person
 from aleksis.core.util.core_helpers import get_site_preferences
 from aleksis.core.util.predicates import check_object_permission
 
-from ..models import Documentation, NewPersonalNote
+from ..models import Documentation, NewPersonalNote, ParticipationStatus
 
 
 @predicate
@@ -277,7 +277,7 @@ def can_edit_documentation(user: User, obj: Documentation):
 
 
 @predicate
-def can_view_participation_status(user: User, obj: Documentation):
+def can_view_participation_status_for_documentation(user: User, obj: Documentation):
     """Predicate which checks if the user is allowed to view participation for a documentation."""
     if obj:
         if obj.amends and obj.amends.cancelled:
@@ -294,7 +294,7 @@ def can_view_participation_status(user: User, obj: Documentation):
 
 
 @predicate
-def can_edit_participation_status(user: User, obj: Documentation):
+def can_edit_participation_status_for_documentation(user: User, obj: Documentation):
     """Predicate which checks if the user is allowed to edit participation for a documentation."""
     if obj:
         if obj.amends and obj.amends.cancelled:
@@ -308,6 +308,22 @@ def can_edit_participation_status(user: User, obj: Documentation):
     return False
 
 
+@predicate
+def can_view_participation_status(user: User, obj: ParticipationStatus):
+    """Predicate which checks if the user is allowed to view participation."""
+    if obj.related_documentation:
+        return can_view_participation_status_for_documentation(user, obj.related_documentation)
+    return False
+
+
+@predicate
+def can_edit_participation_status(user: User, obj: ParticipationStatus):
+    """Predicate which checks if the user is allowed to edit participation."""
+    if obj.related_documentation:
+        return can_edit_participation_status_for_documentation(user, obj.related_documentation)
+    return False
+
+
 @predicate
 def is_in_allowed_time_range(user: User, obj: Union[Documentation, NewPersonalNote]):
     """Predicate for documentations or new personal notes with linked documentation.