Add permission checks

aleksis/apps/lesrooster/frontend/index.js

@@ -74,7 +74,7 @@ export default {
         inMenu: true,
         titleKey: "lesrooster.break.menu_title",
         icon: "mdi-timer-sand-paused",
-        permission: "lesrooster.view_breaks_rule",
+        permission: "lesrooster.view_break_slots_rule",
       },
     },
     {

aleksis/apps/lesrooster/migrations/0009_lesroosterglobalpermissions.py

+# Generated by Django 4.2.4 on 2023-08-15 21:40
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("lesrooster", "0008_one_default_time_grid"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="LesroosterGlobalPermissions",
+            fields=[
+                (
+                    "id",
+                    models.BigAutoField(
+                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
+                    ),
+                ),
+            ],
+            options={
+                "permissions": (
+                    ("view_lesson_raster", "Can view lesson raster"),
+                    ("view_timetable_creation", "Can view timetable creation"),
+                ),
+                "managed": False,
+            },
+        ),
+    ]

aleksis/apps/lesrooster/models.py

@@ -17,7 +17,7 @@ from recurrence.fields import RecurrenceField
 from aleksis.apps.chronos.managers import RoomPropertiesMixin, TeacherPropertiesMixin
 from aleksis.apps.chronos.models import LessonEvent, SupervisionEvent
 from aleksis.apps.cursus.models import Course, Subject
-from aleksis.core.mixins import ExtensibleModel, ExtensiblePolymorphicModel
+from aleksis.core.mixins import ExtensibleModel, ExtensiblePolymorphicModel, GlobalPermissionModel
 from aleksis.core.models import Group, Holiday, Person, Room, SchoolTerm
 
 from .managers import ValidityRangeManager, ValidityRangeQuerySet
@@ -671,3 +671,12 @@ class TimeboundCourseConfig(ExtensibleModel):
         ]
         verbose_name = _("Timebound course config")
         verbose_name_plural = _("Timebound course configs")
+
+
+class LesroosterGlobalPermissions(GlobalPermissionModel):
+    class Meta:
+        managed = False
+        permissions = (
+            ("view_lesson_raster", _("Can view lesson raster")),
+            ("view_timetable_creation", _("Can view timetable creation")),
+        )

aleksis/apps/lesrooster/rules.py

+from rules import add_perm
+
+from aleksis.core.util.predicates import (
+    has_any_object,
+    has_global_perm,
+    has_object_perm,
+    has_person,
+)
+
+from .models import BreakSlot, Lesson, Slot, Supervision, SupervisionSubstitution, TimeboundCourseConfig, TimeGrid, ValidityRange
+
+view_break_slots_predicate = has_person & (
+    has_global_perm("lesrooster.view_breakslot") | has_any_object("lesrooster.view_breakslot", BreakSlot)
+)
+add_perm("lesrooster.view_break_slots_rule", view_break_slots_predicate)
+
+view_break_slot_predicate = has_person & (
+    has_global_perm("lesrooster.view_breakslot") | has_object_perm("lesrooster.view_breakslot")
+)
+add_perm("lesrooster.view_break_slot_rule", view_break_slot_predicate)
+
+create_break_slot_predicate = has_person & has_global_perm("lesrooster.add_breakslot")
+add_perm("lesrooster.create_break_slot_rule", create_break_slot_predicate)
+
+edit_break_slot_predicate = view_break_slot_predicate & (
+    has_global_perm("lesrooster.change_breakslot") | has_object_perm("lesrooster.change_breakslot")
+)
+add_perm("lesrooster.edit_break_slot_rule", edit_break_slot_predicate)
+
+delete_break_slot_predicate = view_break_slot_predicate & (
+    has_global_perm("lesrooster.delete_breakslot") | has_object_perm("lesrooster.delete_breakslot")
+)
+add_perm("lesrooster.delete_break_slot_rule", delete_break_slot_predicate)
+
+view_lessons_predicate = has_person & (
+    has_global_perm("lesrooster.view_lesson") | has_any_object("lesrooster.view_lesson", Lesson)
+)
+add_perm("lesrooster.view_lessons_rule", view_lessons_predicate)
+
+view_lesson_predicate = has_person & (
+    has_global_perm("lesrooster.view_lesson") | has_object_perm("lesrooster.view_lesson")
+)
+add_perm("lesrooster.view_lesson_rule", view_lesson_predicate)
+
+create_lesson_predicate = has_person & has_global_perm("lesrooster.add_lesson")
+add_perm("lesrooster.create_lesson_rule", create_lesson_predicate)
+
+edit_lesson_predicate = view_lesson_predicate & (
+    has_global_perm("lesrooster.change_lesson") | has_object_perm("lesrooster.change_lesson")
+)
+add_perm("lesrooster.edit_lesson_rule", edit_lesson_predicate)
+
+delete_lesson_predicate = view_lesson_predicate & (
+    has_global_perm("lesrooster.delete_lesson") | has_object_perm("lesrooster.delete_lesson")
+)
+add_perm("lesrooster.delete_lesson_rule", delete_lesson_predicate)
+
+view_slots_predicate = has_person & (
+    has_global_perm("lesrooster.view_slot") | has_any_object("lesrooster.view_slot", Slot)
+)
+add_perm("lesrooster.view_slots_rule", view_slots_predicate)
+
+view_slot_predicate = has_person & (
+    has_global_perm("lesrooster.view_slot") | has_object_perm("lesrooster.view_slot")
+)
+add_perm("lesrooster.view_slot_rule", view_slot_predicate)
+
+create_slot_predicate = has_person & has_global_perm("lesrooster.add_slot")
+add_perm("lesrooster.create_slot_rule", create_slot_predicate)
+
+edit_slot_predicate = view_slot_predicate & (
+    has_global_perm("lesrooster.change_slot") | has_object_perm("lesrooster.change_slot")
+)
+add_perm("lesrooster.edit_slot_rule", edit_slot_predicate)
+
+delete_slot_predicate = view_slot_predicate & (
+    has_global_perm("lesrooster.delete_slot") | has_object_perm("lesrooster.delete_slot")
+)
+add_perm("lesrooster.delete_slot_rule", delete_slot_predicate)
+
+view_supervisions_predicate = has_person & (
+    has_global_perm("lesrooster.view_supervision") | has_any_object("lesrooster.view_supervision", Supervision)
+)
+add_perm("lesrooster.view_supervisions_rule", view_supervisions_predicate)
+
+view_supervision_predicate = has_person & (
+    has_global_perm("lesrooster.view_supervision") | has_object_perm("lesrooster.view_supervision")
+)
+add_perm("lesrooster.view_supervision_rule", view_supervision_predicate)
+
+create_supervision_predicate = has_person & has_global_perm("lesrooster.add_supervision")
+add_perm("lesrooster.create_supervision_rule", create_supervision_predicate)
+
+edit_supervision_predicate = view_supervision_predicate & (
+    has_global_perm("lesrooster.change_supervision") | has_object_perm("lesrooster.change_supervision")
+)
+add_perm("lesrooster.edit_supervision_rule", edit_supervision_predicate)
+
+delete_supervision_predicate = view_supervision_predicate & (
+    has_global_perm("lesrooster.delete_supervision") | has_object_perm("lesrooster.delete_supervision")
+)
+add_perm("lesrooster.delete_supervision_rule", delete_supervision_predicate)
+
+view_supervision_substitutions_predicate = has_person & (
+    has_global_perm("lesrooster.view_supervisionsubstitution") | has_any_object("lesrooster.view_supervisionsubstitution", SupervisionSubstitution)
+)
+add_perm("lesrooster.view_supervision_substitutions_rule", view_supervision_substitutions_predicate)
+
+view_supervision_substitution_predicate = has_person & (
+    has_global_perm("lesrooster.view_supervisionsubstitution") | has_object_perm("lesrooster.view_supervisionsubstitution")
+)
+add_perm("lesrooster.view_supervision_substitution_rule", view_supervision_substitution_predicate)
+
+create_supervision_substitution_predicate = has_person & has_global_perm("lesrooster.add_supervisionsubstitution")
+add_perm("lesrooster.create_supervision_substitution_rule", create_supervision_substitution_predicate)
+
+edit_supervision_substitution_predicate = view_supervision_substitution_predicate & (
+    has_global_perm("lesrooster.change_supervisionsubstitution") | has_object_perm("lesrooster.change_supervisionsubstitution")
+)
+add_perm("lesrooster.edit_supervision_substitution_rule", edit_supervision_substitution_predicate)
+
+delete_supervision_substitution_predicate = view_supervision_substitution_predicate & (
+    has_global_perm("lesrooster.delete_supervisionsubstitution") | has_object_perm("lesrooster.delete_supervisionsubstitution")
+)
+add_perm("lesrooster.delete_supervision_substitution_rule", delete_supervision_substitution_predicate)
+
+view_timebound_course_configs_predicate = has_person & (
+    has_global_perm("lesrooster.view_timeboundcourseconfig") | has_any_object("lesrooster.view_timeboundcourseconfig", TimeboundCourseConfig)
+)
+add_perm("lesrooster.view_timebound_course_configs_rule", view_timebound_course_configs_predicate)
+
+view_timebound_course_config_predicate = has_person & (
+    has_global_perm("lesrooster.view_timeboundcourseconfig") | has_object_perm("lesrooster.view_timeboundcourseconfig")
+)
+add_perm("lesrooster.view_timebound_course_config_rule", view_timebound_course_config_predicate)
+
+create_timebound_course_config_predicate = has_person & has_global_perm("lesrooster.add_timeboundcourseconfig")
+add_perm("lesrooster.create_timebound_course_config_rule", create_timebound_course_config_predicate)
+
+edit_timebound_course_config_predicate = view_timebound_course_config_predicate & (
+    has_global_perm("lesrooster.change_timeboundcourseconfig") | has_object_perm("lesrooster.change_timeboundcourseconfig")
+)
+add_perm("lesrooster.edit_timebound_course_config_rule", edit_timebound_course_config_predicate)
+
+delete_timebound_course_config_predicate = view_timebound_course_config_predicate & (
+    has_global_perm("lesrooster.delete_timeboundcourseconfig") | has_object_perm("lesrooster.delete_timeboundcourseconfig")
+)
+add_perm("lesrooster.delete_timebound_course_config_rule", delete_timebound_course_config_predicate)
+
+view_time_grids_predicate = has_person & (
+    has_global_perm("lesrooster.view_timegrid") | has_any_object("lesrooster.view_timegrid", TimeGrid)
+)
+add_perm("lesrooster.view_time_grids_rule", view_time_grids_predicate)
+
+view_time_grid_predicate = has_person & (
+    has_global_perm("lesrooster.view_timegrid") | has_object_perm("lesrooster.view_timegrid")
+)
+add_perm("lesrooster.view_time_grid_rule", view_time_grid_predicate)
+
+create_time_grid_predicate = has_person & has_global_perm("lesrooster.add_timegrid")
+add_perm("lesrooster.create_time_grid_rule", create_time_grid_predicate)
+
+edit_time_grid_predicate = view_time_grid_predicate & (
+    has_global_perm("lesrooster.change_timegrid") | has_object_perm("lesrooster.change_timegrid")
+)
+add_perm("lesrooster.edit_time_grid_rule", edit_time_grid_predicate)
+
+delete_time_grid_predicate = view_time_grid_predicate & (
+    has_global_perm("lesrooster.delete_timegrid") | has_object_perm("lesrooster.delete_timegrid")
+)
+add_perm("lesrooster.delete_time_grid_rule", delete_time_grid_predicate)
+
+view_validity_ranges_predicate = has_person & (
+    has_global_perm("lesrooster.view_validityrange") | has_any_object("lesrooster.view_validityrange", ValidityRange)
+)
+add_perm("lesrooster.view_validity_ranges_rule", view_validity_ranges_predicate)
+
+view_validity_range_predicate = has_person & (
+    has_global_perm("lesrooster.view_validityrange") | has_object_perm("lesrooster.view_validityrange")
+)
+add_perm("lesrooster.view_validity_range_rule", view_validity_range_predicate)
+
+create_validity_range_predicate = has_person & has_global_perm("lesrooster.add_validityrange")
+add_perm("lesrooster.create_validity_range_rule", create_validity_range_predicate)
+
+edit_validity_range_predicate = view_validity_range_predicate & (
+    has_global_perm("lesrooster.change_validityrange") | has_object_perm("lesrooster.change_validityrange")
+)
+add_perm("lesrooster.edit_validity_range_rule", edit_validity_range_predicate)
+
+delete_validity_range_predicate = view_validity_range_predicate & (
+    has_global_perm("lesrooster.delete_validityrange") | has_object_perm("lesrooster.delete_validityrange")
+)
+add_perm("lesrooster.delete_validity_range_rule", delete_validity_range_predicate)
+
+view_lesson_raster_predicate = has_person | has_global_perm("lesrooster.view_lesson_raster")  # FIXME
+add_perm("lesrooster.view_lesson_raster_rule", view_lesson_raster_predicate)
+
+view_timetable_creation_predicate = has_person | has_global_perm("lesrooster.view_timetable_creation")  # FIXME
+add_perm("lesrooster.view_timetable_creation_rule", view_timetable_creation_predicate)
+
+view_lesrooster_menu_predicate = (
+    view_validity_ranges_predicate
+    | view_slots_predicate
+    | view_break_slots_predicate
+    | view_timebound_course_configs_predicate
+    | view_lesson_raster_predicate
+    | view_timetable_creation_predicate
+)
+add_perm("lesrooster.view_lesrooster_menu_rule", view_lesrooster_menu_predicate)

aleksis/apps/lesrooster/schema/break_slot.py

@@ -49,12 +49,12 @@ class BreakSlotCreateMutation(DjangoCreateMutation):
         return_field_name = "breakSlot"
         field_types = {"weekday": graphene.Int()}
         exclude = ("managed_by_app_label",)
-        permissions = ("",)  # FIXME
+        permissions = ("lesrooster.create_break_slot_rule",)
 
 
 class BreakSlotDeleteMutation(DeleteMutation):
     klass = BreakSlot
-    permission_required = ""  # FIXME
+    permission_required = "lesrooster.delete_breakslot"
 
 
 class BreakSlotBatchCreateMutation(PermissionBatchPatchMixin, DjangoBatchCreateMutation):
@@ -63,13 +63,13 @@ class BreakSlotBatchCreateMutation(PermissionBatchPatchMixin, DjangoBatchCreateM
         return_field_name = "breakSlots"
         field_types = {"weekday": graphene.Int()}
         exclude = ("managed_by_app_label",)
-        permissions = ("",)  # FIXME
+        permissions = ("lesrooster.create_break_slot_rule",)
 
 
 class BreakSlotBatchDeleteMutation(PermissionBatchDeleteMixin, DjangoBatchDeleteMutation):
     class Meta:
         model = BreakSlot
-        permissions = ("lesrooster.delete_break",)
+        permissions = ("lesrooster.delete_breakslot",)
 
 
 class BreakSlotBatchPatchMutation(PermissionBatchPatchMixin, DjangoBatchPatchMutation):
@@ -77,4 +77,4 @@ class BreakSlotBatchPatchMutation(PermissionBatchPatchMixin, DjangoBatchPatchMut
         model = BreakSlot
         return_field_name = "breakSlots"
         field_types = {"weekday": graphene.Int()}
-        permissions = ("",)  # FIXME
+        permissions = ("lesrooster.change_breakslot",)

aleksis/apps/lesrooster/schema/lesson.py

@@ -57,7 +57,7 @@ class LessonCreateMutation(DjangoCreateMutation):
             "recurrence",
         )
         field_types = {"recurrence": graphene.String()}
-        permissions = ("",)  # FIXME
+        permissions = ("lesrooster.create_lesson",)
 
     @classmethod
     def handle_recurrence(cls, value: str, name, info) -> Recurrence:
@@ -66,13 +66,13 @@ class LessonCreateMutation(DjangoCreateMutation):
 
 class LessonDeleteMutation(DeleteMutation):
     klass = Lesson
-    permission_required = ""  # FIXME
+    permission_required = "lesrooster.delete_lesson_rule"
 
 
 class LessonBatchDeleteMutation(PermissionBatchDeleteMixin, DjangoBatchDeleteMutation):
     class Meta:
         model = Lesson
-        permissions = ("lesrooster.delete_lesson",)
+        permissions = ("lesrooster.delete_lesson_rule",)
 
 
 class LessonBatchPatchMutation(PermissionBatchPatchMixin, DjangoBatchPatchMutation):
@@ -89,7 +89,7 @@ class LessonBatchPatchMutation(PermissionBatchPatchMixin, DjangoBatchPatchMutati
             "recurrence",
         )
         field_types = {"recurrence": graphene.String()}
-        permissions = ("",)  # FIXME
+        permissions = ("lesrooster.change_lesson",)
 
     @classmethod
     def handle_recurrence(cls, value: str, name, info) -> Recurrence:
@@ -110,7 +110,7 @@ class LessonPatchMutation(PermissionPatchMixin, DjangoPatchMutation):
             "recurrence",
         )
         field_types = {"recurrence": graphene.String()}
-        permissions = ("",)  # FIXME
+        permissions = ("lesrooster.change_lesson",)
 
     @classmethod
     def handle_recurrence(cls, value: str, name, info) -> Recurrence:

aleksis/apps/lesrooster/schema/slot.py

+from django.core.exceptions import PermissionDenied
 from django.db.models import Q
 
 import graphene
@@ -57,12 +58,12 @@ class SlotCreateMutation(DjangoCreateMutation):
         model = Slot
         field_types = {"weekday": graphene.Int()}
         exclude = ("managed_by_app_label",)
-        permissions = ("",)  # FIXME
+        permissions = ("lesrooster.create_slot_rule",)
 
 
 class SlotDeleteMutation(DeleteMutation):
     klass = Slot
-    permission_required = ""  # FIXME
+    permission_required = "lesrooster.delete_slot"
 
 
 class SlotBatchCreateMutation(PermissionBatchPatchMixin, DjangoBatchCreateMutation):
@@ -70,7 +71,7 @@ class SlotBatchCreateMutation(PermissionBatchPatchMixin, DjangoBatchCreateMutati
         model = Slot
         field_types = {"weekday": graphene.Int()}
         exclude = ("managed_by_app_label",)
-        permissions = ("",)  # FIXME
+        permissions = ("lesrooster.create_slot_rule",)
 
 
 class SlotBatchDeleteMutation(PermissionBatchDeleteMixin, DjangoBatchDeleteMutation):
@@ -83,7 +84,7 @@ class SlotBatchPatchMutation(PermissionBatchPatchMixin, DjangoBatchPatchMutation
     class Meta:
         model = Slot
         field_types = {"weekday": graphene.Int()}
-        permissions = ("",)  # FIXME
+        permissions = ("lesrooster.change_slot",)
 
 
 class CarryOverSlotsMutation(graphene.Mutation):
@@ -99,11 +100,12 @@ class CarryOverSlotsMutation(graphene.Mutation):
 
     @classmethod
     def mutate(cls, root, info, time_grid, from_day, to_day, only=None):
+        if not info.context.user.has_perm("lesrooster.change_slot"):
+            raise PermissionDenied()
+
         if only is None:
             only = []
 
-        # TODO: Check permissions
-
         time_grid = TimeGrid.objects.get(id=time_grid)
 
         slots_on_day = Slot.objects.filter(weekday=from_day, time_grid=time_grid)
@@ -160,11 +162,12 @@ class CopySlotsFromDifferentRangeMutation(graphene.Mutation):
 
     @classmethod
     def mutate(cls, root, info, time_grid, from_time_grid):
+        if not info.context.user.has_perm("lesrooster.change_slot"):
+            raise PermissionDenied()
+
         time_grid = TimeGrid.objects.get(id=time_grid)
         from_time_grid = TimeGrid.objects.get(id=from_time_grid)
 
-        # TODO: Check permissions
-
         # Check for each slot in the from_time_grid if it exists in the time_grid, if not, create it
         slots = Slot.objects.filter(time_grid=from_time_grid)
 

aleksis/apps/lesrooster/schema/time_grid.py

@@ -37,23 +37,23 @@ class TimeGridType(PermissionsTypeMixin, DjangoFilterMixin, DjangoObjectType):
 class TimeGridCreateMutation(DjangoCreateMutation):
     class Meta:
         model = TimeGrid
-        permissions = ("",)  # FIXME
+        permissions = ("lesrooster.create_time_grid_rule",)
         exclude = ("managed_by_app_label",)
 
 
 class TimeGridDeleteMutation(DeleteMutation):
     klass = TimeGrid
-    permission_required = ""  # FIXME
+    permission_required = "lesrooster.delete_timegrid"
 
 
 class TimeGridBatchDeleteMutation(PermissionBatchDeleteMixin, DjangoBatchDeleteMutation):
     class Meta:
         model = TimeGrid
-        permissions = ("lesrooster.delete_time_grid",)
+        permissions = ("lesrooster.delete_timegrid",)
 
 
 class TimeGridBatchPatchMutation(PermissionBatchPatchMixin, DjangoBatchPatchMutation):
     class Meta:
         model = TimeGrid
-        permissions = ("",)  # FIXME
+        permissions = ("lesrooster.change_timegrid",)
         exclude = ("managed_by_app_label",)

aleksis/apps/lesrooster/schema/timebound_course_config.py

@@ -84,23 +84,23 @@ class TimeboundCourseConfigCreateMutation(DjangoCreateMutation):
     class Meta:
         model = TimeboundCourseConfig
         fields = ("id", "course", "validity_range", "lesson_quota", "teachers")
-        permissions = ("",)  # FIXME
+        permissions = ("lesrooster.create_timebound_course_config_rule",)
 
 
 class TimeboundCourseConfigBatchCreateMutation(DjangoBatchCreateMutation):
     class Meta:
         model = TimeboundCourseConfig
         fields = ("id", "course", "validity_range", "lesson_quota", "teachers")
-        permissions = ("",)  # FIXME
+        permissions = ("lesrooster.create_timebound_course_config_rule",)
 
 
 class TimeboundCourseConfigDeleteMutation(DeleteMutation):
     klass = TimeboundCourseConfig
-    permission_required = ""  # FIXME
+    permission_required = "lesrooster.delete_timeboundcourseconfig"
 
 
 class TimeboundCourseConfigBatchPatchMutation(PermissionBatchPatchMixin, DjangoBatchPatchMutation):
     class Meta:
         model = TimeboundCourseConfig
         fields = ("id", "course", "validity_range", "lesson_quota", "teachers")
-        permissions = ("",)  # FIXME
+        permissions = ("lesrooster.change_timeboundcourseconfig",)

aleksis/apps/lesrooster/schema/validity_range.py

@@ -37,23 +37,23 @@ class ValidityRangeType(PermissionsTypeMixin, DjangoFilterMixin, DjangoObjectTyp
 class ValidityRangeCreateMutation(DjangoCreateMutation):
     class Meta:
         model = ValidityRange
-        permissions = ("",)  # FIXME
+        permissions = ("lesrooster.create_validity_range_rule",)
         exclude = ("managed_by_app_label",)
 
 
 class ValidityRangeDeleteMutation(DeleteMutation):
     klass = ValidityRange
-    permission_required = ""  # FIXME
+    permission_required = "lesrooster.delete_validityrange"
 
 
 class ValidityRangeBatchDeleteMutation(PermissionBatchDeleteMixin, DjangoBatchDeleteMutation):
     class Meta:
         model = ValidityRange
-        permissions = ("lesrooster.delete_validity_range",)
+        permissions = ("lesrooster.delete_validityrange",)
 
 
 class ValidityRangeBatchPatchMutation(PermissionBatchPatchMixin, DjangoBatchPatchMutation):
     class Meta:
         model = ValidityRange
-        permissions = ("",)  # FIXME
+        permissions = ("lesrooster.change_validityrange",)
         exclude = ("managed_by_app_label",)