Fix and add permissions

3535a8ae · Jonathan Weth · a2aa8588 · 3535a8ae · 3535a8ae · 3535a8ae
Verified Commit 3535a8ae authored 3 years ago by Jonathan Weth
--- a/aleksis/apps/stoelindeling/rules.py
+++ b/aleksis/apps/stoelindeling/rules.py
 from rules import add_perm

-from aleksis.core.util.predicates import has_global_perm, has_person
+from aleksis.core.util.predicates import (
+    has_any_object,
+    has_global_perm,
+    has_object_perm,
+    has_person,
+)
+
+from .models import SeatingPlan
+from .util.perms import is_group_owner

 # View seating plan list
-view_seatingplans_predicate = has_person & has_global_perm("stoelindeling.view_seatingplan")
+view_seatingplans_predicate = has_person & (
+    has_global_perm("stoelindeling.view_seatingplan")
+    | has_global_perm("stoelindeling.add_seatingplan")
+    | has_any_object("stoelindeling.view_seatingplan", SeatingPlan)
+)
 add_perm("stoelindeling.view_seatingplans_rule", view_seatingplans_predicate)

+# View seating plan
+view_seatingplan_predicate = has_person & (
+    has_global_perm("stoelindeling.view_seatingplan")
+    | has_object_perm("stoelindeling.view_seatingplan")
+    | is_group_owner
+)
+add_perm("stoelindeling.view_seatingplan_rule", view_seatingplan_predicate)
+
 # Add seating plan
 add_seatingplan_predicate = view_seatingplans_predicate & has_global_perm(
    "stoelindeling.add_seatingplan"
@@ -13,13 +33,17 @@ add_seatingplan_predicate = view_seatingplans_predicate & has_global_perm(
 add_perm("stoelindeling.add_seatingplan_rule", add_seatingplan_predicate)

 # Edit seating plan
-edit_seatingplan_predicate = view_seatingplans_predicate & has_global_perm(
-    "stoelindeling.change_seatingplan"
+edit_seatingplan_predicate = view_seatingplans_predicate & (
+    has_global_perm("stoelindeling.change_seatingplan")
+    | is_group_owner
+    | has_object_perm("stoelindeling.change_seatingplan")
 )
 add_perm("stoelindeling.edit_seatingplan_rule", edit_seatingplan_predicate)

 # Delete seating plan
-delete_seatingplan_predicate = view_seatingplans_predicate & has_global_perm(
-    "stoelindeling.delete_seatingplan"
+delete_seatingplan_predicate = view_seatingplans_predicate & (
+    has_global_perm("stoelindeling.delete_seatingplan")
+    | is_group_owner
+    | has_object_perm("stoelindeling.delete_seatingplan")
 )
 add_perm("stoelindeling.delete_seatingplan_rule", delete_seatingplan_predicate)
--- a/aleksis/apps/stoelindeling/templates/stoelindeling/seating_plan/list.html
+++ b/aleksis/apps/stoelindeling/templates/stoelindeling/seating_plan/list.html
@@ -2,17 +2,20 @@

 {% extends "core/base.html" %}

-{% load i18n %}
+{% load i18n rules %}
 {% load render_table from django_tables2 %}

 {% block browser_title %}{% blocktrans %}Seating plans{% endblocktrans %}{% endblock %}
 {% block page_title %}{% blocktrans %}Seating plans{% endblocktrans %}{% endblock %}

 {% block content %}
-  <a class="btn green waves-effect waves-light" href="{% url 'create_seating_plan' %}">
-    <i class="material-icons left iconify" data-icon="mdi:plus">add</i>
-    {% trans "Create seating plan" %}
-  </a>
+  {% has_perm "stoelindeling.create_seating_plan_rule" user as can_create_seating_plan %}
+  {% if can_create_seating_plan %}
+    <a class="btn green waves-effect waves-light" href="{% url 'create_seating_plan' %}">
+      <i class="material-icons left iconify" data-icon="mdi:plus">add</i>
+      {% trans "Create seating plan" %}
+    </a>
+  {% endif %}

  {% render_table table %}
 {% endblock %}
--- a/aleksis/apps/stoelindeling/templates/stoelindeling/seating_plan/view.html
+++ b/aleksis/apps/stoelindeling/templates/stoelindeling/seating_plan/view.html
@@ -18,13 +18,21 @@
 {% endblock %}

 {% block content %}
-  <a class="btn waves-effect waves-light orange margin-bottom" href="{% url "edit_seating_plan" object.pk %}">
-    <i class="material-icons left iconify" data-icon="mdi:pencil-outline"></i>
-    {% trans "Edit" %}
-  </a>
-  <a class="btn waves-effect waves-light red margin-bottom" href="{% url "delete_seating_plan" object.pk %}">
-    <i class="material-icons left iconify" data-icon="mdi:delete-outline"></i>
-    {% trans "Delete" %}
-  </a>
+  {% has_perm "stoelindeling.edit_seating_plan_rule" user seating_plan as can_edit %}
+  {% has_perm "stoelindeling.delete_seating_plan_rule" user seating_plan as can_delete %}
+
+  {% if can_edit %}
+    <a class="btn waves-effect waves-light orange margin-bottom" href="{% url "edit_seating_plan" object.pk %}">
+      <i class="material-icons left iconify" data-icon="mdi:pencil-outline"></i>
+      {% trans "Edit" %}
+    </a>
+  {% endif %}
+  {% if can_delete %}
+    <a class="btn waves-effect waves-light red margin-bottom" href="{% url "delete_seating_plan" object.pk %}">
+      <i class="material-icons left iconify" data-icon="mdi:delete-outline"></i>
+      {% trans "Delete" %}
+    </a>
+  {% endif %}
+
  {% include "stoelindeling/seating_plan/render.html" with seating_plan=object %}
 {% endblock %}
--- a/aleksis/apps/stoelindeling/util/perms.py
+++ b/aleksis/apps/stoelindeling/util/perms.py
+from django.db.models import Q
+
+from guardian.shortcuts import get_objects_for_user
+from rules import predicate
+
+from ..models import SeatingPlan
+
+
+@predicate
+def is_group_owner(user, seating_plan: SeatingPlan) -> bool:
+    """Predicate which checks if the user is a owner of the seating plan's group."""
+    return user.person in seating_plan.group.owners.all()
+
+
+def get_allowed_seating_plans(user):
+    """Get all seating plans the user is allowed to see."""
+    if not user.has_perm("stoelindeling.view_seatingplan"):
+        qs = SeatingPlan.objects.filter(
+            Q(
+                pk__in=get_objects_for_user(
+                    user, "stoelindeling.view_seatingplan", SeatingPlan
+                ).values_list("pk", flat=True)
+            )
+            | Q(owner=user.person)
+        )
+        return qs
+
+    return SeatingPlan.objects.all()
--- a/aleksis/apps/stoelindeling/views.py
+++ b/aleksis/apps/stoelindeling/views.py
@@ -15,6 +15,7 @@ from aleksis.core.mixins import AdvancedCreateView, AdvancedDeleteView, Advanced
 from .forms import SeatFormSet, SeatingPlanCreateForm, SeatingPlanForm
 from .models import Seat, SeatingPlan
 from .tables import SeatingPlanTable
+from .util.perms import get_allowed_seating_plans


 class SeatingPlanListView(PermissionRequiredMixin, SingleTableView):
@@ -25,6 +26,9 @@ class SeatingPlanListView(PermissionRequiredMixin, SingleTableView):
    permission_required = "stoelindeling.view_seatingplans_rule"
    template_name = "stoelindeling/seating_plan/list.html"

+    def get_queryset(self):
+        return get_allowed_seating_plans(self.request.user)
+

 class SeatingPlanDetailView(PermissionRequiredMixin, DetailView):
    """Table of all seating plans."""