From 7c1ecce6db68c09de421883f7ba2a665b9834e23 Mon Sep 17 00:00:00 2001
From: Jonathan Weth <git@jonathanweth.de>
Date: Sat, 9 Apr 2022 16:59:06 +0200
Subject: [PATCH] Fix permissions

---
 aleksis/apps/stoelindeling/rules.py      | 17 +++++++++--------
 aleksis/apps/stoelindeling/util/perms.py | 14 +++++++++++++-
 aleksis/apps/stoelindeling/views.py      | 10 +++++++++-
 3 files changed, 31 insertions(+), 10 deletions(-)

diff --git a/aleksis/apps/stoelindeling/rules.py b/aleksis/apps/stoelindeling/rules.py
index f01f7e1..1617bdf 100644
--- a/aleksis/apps/stoelindeling/rules.py
+++ b/aleksis/apps/stoelindeling/rules.py
@@ -5,10 +5,11 @@ from aleksis.core.util.predicates import (
     has_global_perm,
     has_object_perm,
     has_person,
+    is_group_owner,
 )
 
 from .models import SeatingPlan
-from .util.perms import is_group_owner
+from .util.perms import is_plan_group_owner
 
 # View seating plan list
 view_seatingplans_predicate = has_person & (
@@ -22,13 +23,13 @@ add_perm("stoelindeling.view_seatingplans_rule", view_seatingplans_predicate)
 view_seatingplan_predicate = has_person & (
     has_global_perm("stoelindeling.view_seatingplan")
     | has_object_perm("stoelindeling.view_seatingplan")
-    | is_group_owner
+    | is_plan_group_owner
 )
 add_perm("stoelindeling.view_seatingplan_rule", view_seatingplan_predicate)
 
 # Add seating plan
-add_seatingplan_predicate = view_seatingplans_predicate & has_global_perm(
-    "stoelindeling.add_seatingplan"
+add_seatingplan_predicate = view_seatingplans_predicate & (
+    has_global_perm("stoelindeling.add_seatingplan") | is_group_owner | is_plan_group_owner
 )
 add_perm("stoelindeling.add_seatingplan_rule", add_seatingplan_predicate)
 
@@ -37,17 +38,17 @@ copy_seatingplan_predicate = view_seatingplan_predicate & add_seatingplan_predic
 add_perm("stoelindeling.copy_seatingplan_rule", copy_seatingplan_predicate)
 
 # Edit seating plan
-edit_seatingplan_predicate = view_seatingplans_predicate & (
+edit_seatingplan_predicate = view_seatingplan_predicate & (
     has_global_perm("stoelindeling.change_seatingplan")
-    | is_group_owner
+    | is_plan_group_owner
     | has_object_perm("stoelindeling.change_seatingplan")
 )
 add_perm("stoelindeling.edit_seatingplan_rule", edit_seatingplan_predicate)
 
 # Delete seating plan
-delete_seatingplan_predicate = view_seatingplans_predicate & (
+delete_seatingplan_predicate = view_seatingplan_predicate & (
     has_global_perm("stoelindeling.delete_seatingplan")
-    | is_group_owner
+    | is_plan_group_owner
     | has_object_perm("stoelindeling.delete_seatingplan")
 )
 add_perm("stoelindeling.delete_seatingplan_rule", delete_seatingplan_predicate)
diff --git a/aleksis/apps/stoelindeling/util/perms.py b/aleksis/apps/stoelindeling/util/perms.py
index c55d09b..0876019 100644
--- a/aleksis/apps/stoelindeling/util/perms.py
+++ b/aleksis/apps/stoelindeling/util/perms.py
@@ -3,12 +3,24 @@ from django.db.models import Q
 from guardian.shortcuts import get_objects_for_user
 from rules import predicate
 
+from aleksis.core.models import Group
+
 from ..models import SeatingPlan
 
 
 @predicate
-def is_group_owner(user, seating_plan: SeatingPlan) -> bool:
+def is_group_owner(user, group: Group) -> bool:
+    """Predicate which checks if the user is a owner of the group."""
+    if not isinstance(group, Group):
+        return False
+    return user.person in group.owners.all()
+
+
+@predicate
+def is_plan_group_owner(user, seating_plan: SeatingPlan) -> bool:
     """Predicate which checks if the user is a owner of the seating plan's group."""
+    if not isinstance(seating_plan, SeatingPlan):
+        return False
     return user.person in seating_plan.group.owners.all()
 
 
diff --git a/aleksis/apps/stoelindeling/views.py b/aleksis/apps/stoelindeling/views.py
index 65025df..0b3f4b9 100644
--- a/aleksis/apps/stoelindeling/views.py
+++ b/aleksis/apps/stoelindeling/views.py
@@ -16,8 +16,8 @@ from aleksis.core.mixins import (
     AdvancedEditView,
     SuccessNextMixin,
 )
-
 from aleksis.core.views import LoginView
+
 from .forms import SeatFormSet, SeatingPlanCopyForm, SeatingPlanCreateForm, SeatingPlanForm
 from .models import Seat, SeatingPlan
 from .tables import SeatingPlanTable
@@ -58,6 +58,14 @@ class SeatingPlanCreateView(PermissionRequiredMixin, SuccessNextMixin, AdvancedC
     def get_form_kwargs(self):
         kwargs = super().get_form_kwargs()
         kwargs["request"] = self.request
+        initial = {}
+        if "room" in self.request.GET:
+            initial["room"] = self.request.GET["room"]
+        if "subject" in self.request.GET:
+            initial["subject"] = self.request.GET["subject"]
+        if "group" in self.request.GET:
+            initial["group"] = self.request.GET["group"]
+        kwargs["initial"] = initial
         return kwargs
 
 
-- 
GitLab