Fix permission checking in views

dbcb157a · Tom Teichler · 4c1cfb6d · dbcb157a · dbcb157a · dbcb157a
Commit dbcb157a authored 3 years ago by Tom Teichler
--- a/aleksis/apps/paweljong/menus.py
+++ b/aleksis/apps/paweljong/menus.py
@@ -18,7 +18,7 @@ MENUS = {
            "validators": [
                (
                    "aleksis.core.util.predicates.permission_validator",
-                    "paweljong.change_events_rule",
+                    "paweljong.view_menu",
                )
            ],
            "submenu": [

--- a/aleksis/apps/paweljong/predicates.py
+++ b/aleksis/apps/paweljong/predicates.py
@@ -36,3 +36,9 @@ def is_own_voucher(user: User, voucher: Voucher) -> bool:
 def is_own_registration(user: User, registration: EventRegistration) -> bool:
    """Predicate which checks if the registration belongs to the user."""
    return registration.person == user.person
+
+
+@predicate
+def is_organiser(user: User, obj: EventRegistration) -> bool:
+    """Predicate which checks if the user is an organiser."""
+    return user.person in obj.event.linked_group.owners.all()
--- a/aleksis/apps/paweljong/rules.py
+++ b/aleksis/apps/paweljong/rules.py
@@ -9,10 +9,11 @@ from aleksis.core.util.predicates import (
    is_group_member,
 )

-from .models import Event, EventRegistration, Terms, Voucher
+from .models import Event, EventRegistration, Terms, Voucher, RegistrationState, InfoMailing
 from .predicates import (
    is_own_registration,
    is_own_voucher,
+    is_organiser,
    see_group_by_grouptype,
    see_owned_groups_members,
 )
@@ -75,22 +76,21 @@ may_see_person_predicate = has_person & (
 )
 rules.add_perm("paweljong.see_person_rule", may_see_person_predicate)

-# View registrations
-view_registrations_predicate = has_person & (
-    has_global_perm("paweljong.view_eventregistration")
-    | has_any_object("paweljong.view_eventregistration", EventRegistration)
-)
-rules.add_perm("paweljong.view_registrations_rule", view_registrations_predicate)
-
-
 # Manage registrations
 manage_registrations_predicate = has_person & (
    has_global_perm("paweljong.manage_registration")
+    | is_organiser
    | is_own_registration
-    | has_any_object("paweljong.manage_registration", EventRegistration)
 )
 rules.add_perm("paweljong.manage_registrations_rule", manage_registrations_predicate)

+# View registrations
+view_registrations_predicate = has_person & (
+    has_global_perm("paweljong.view_eventregistration")
+    | has_any_object("paweljong.manage_registrations_rule", EventRegistration)
+)
+rules.add_perm("paweljong.view_registrations_rule", view_registrations_predicate)
+
 # Delete registrations
 delete_registrations_predicate = has_person & (
    has_global_perm("paweljong.delete_eventregistration")
@@ -117,3 +117,13 @@ view_info_mailings_predicate = has_person & (
    | has_any_object("paweljong.view_info_mailing", Terms)
 )
 rules.add_perm("paweljong.view_info_mailings_rule", view_info_mailings_predicate)
+
+can_view_menu_predicate = has_person & (
+    has_any_object("paweljong.manage_registrations_rule", EventRegistration)
+    | has_any_object("paweljong.view_info_mailing", InfoMailing)
+    | has_any_object("paweljong.view_terms", Terms)
+    | has_any_object("paweljong.view_voucher", Voucher)
+    | has_any_object("paweljong.view_event", Event)
+    | has_any_object("paweljong.view_registrationstate", RegistrationState)
+)
+rules.add_perm("paweljong.view_menu", can_view_menu_predicate)
--- a/aleksis/apps/paweljong/templates/paweljong/event_registration/full.html
+++ b/aleksis/apps/paweljong/templates/paweljong/event_registration/full.html
@@ -43,8 +43,7 @@
  <h5>{% blocktrans %}Contact details{% endblocktrans %}</h5>
  <div class="row">
    <div class="col s12 m4">
-      {% has_perm 'core.view_photo' user registration.person as can_view_photo %}
-      {% if registration.person.photo and can_view_photo %}
+      {% if registration.person.photo %}
        <img class="person-img" src="{{ registration.person.photo.url }}"
             alt="{{ registration.person.first_name }} {{ registration.person.last_name }}"/>
      {% else %}
@@ -56,7 +55,6 @@
      <table class="responsive-table highlight">
        <tr>
          <td rowspan="6">
-
          </td>
          <td>
            <i class="material-icons small">person</i>
@@ -81,31 +79,25 @@
            <td colspan="2">{{ registration.person.postal_code }} {{ registration.person.place }}</td>
          </tr>
        {% endif %}
-        {% has_perm 'core.view_contact_details' user registration.person as can_view_contact_details %}
-        {% if can_view_contact_details %}
-          <tr>
-            <td>
-              <i class="material-icons small">phone</i>
-            </td>
-            <td>{{ registration.person.phone_number }}</td>
-            <td>{{ registration.person.mobile_number }}</td>
-          </tr>
-          <tr>
-            <td>
-              <i class="material-icons small">email</i>
-            </td>
-            <td colspan="3">{{ registration.person.email }}</td>
-          </tr>
-        {% endif %}
-        {% has_perm 'core.view_personal_details' user registration.person as can_view_personal_details %}
-        {% if can_view_personal_details %}
-          <tr>
-            <td>
-              <i class="material-icons small">cake</i>
-            </td>
-            <td colspan="3">{{ registration.person.date_of_birth|date }}</td>
-          </tr>
-        {% endif %}
+        <tr>
+          <td>
+            <i class="material-icons small">phone</i>
+          </td>
+          <td>{{ registration.person.phone_number }}</td>
+          <td>{{ registration.person.mobile_number }}</td>
+        </tr>
+        <tr>
+          <td>
+            <i class="material-icons small">email</i>
+          </td>
+          <td colspan="3">{{ registration.person.email }}</td>
+        </tr>
+        <tr>
+          <td>
+            <i class="material-icons small">cake</i>
+          </td>
+          <td colspan="3">{{ registration.person.date_of_birth|date }}</td>
+        </tr>
        <tr>
          <td></td>
          <td>
@@ -165,7 +157,6 @@
            </tr>
          {% endfor %}
        {% endif %}
-
        <tr>
          <tr>
            <td>
@@ -190,7 +181,7 @@
    </div>
  </div>

-  {% if registration.person.guardians.all and can_view_personal_details %}
+  {% if registration.person.guardians.all %}
  <h5>{% trans "Guardians / Parents "%}</h5>
  {% for person in registration.person.guardians.all %}
    <div class="col s12 m8">
@@ -222,22 +213,19 @@
            <td colspan="2">{{ person.postal_code }} {{ person.place }}</td>
          </tr>
        {% endif %}
-        {% has_perm 'core.view_contact_details' user person as can_view_contact_details %}
-        {% if can_view_contact_details %}
-          <tr>
-            <td>
-              <i class="material-icons small">phone</i>
-            </td>
-            <td>{{ person.phone_number }}</td>
-            <td>{{ person.mobile_number }}</td>
-          </tr>
-          <tr>
-            <td>
-              <i class="material-icons small">email</i>
-            </td>
-            <td colspan="3">{{ person.email }}</td>
-          </tr>
-        {% endif %}
+        <tr>
+          <td>
+            <i class="material-icons small">phone</i>
+          </td>
+          <td>{{ person.phone_number }}</td>
+          <td>{{ person.mobile_number }}</td>
+        </tr>
+        <tr>
+          <td>
+            <i class="material-icons small">email</i>
+          </td>
+          <td colspan="3">{{ person.email }}</td>
+        </tr>
        {% has_perm 'core.view_personal_details' user person as can_view_personal_details %}
        {% if can_view_personal_details %}
          <tr>

--- a/aleksis/apps/paweljong/views.py
+++ b/aleksis/apps/paweljong/views.py
@@ -26,6 +26,7 @@ from aleksis.apps.postbuero.models import MailAddress
 from aleksis.core.mixins import AdvancedCreateView, AdvancedDeleteView, AdvancedEditView
 from aleksis.core.models import Activity, Person
 from aleksis.core.util import messages
+from aleksis.core.util.predicates import queryset_rules_filter
 from aleksis.core.util.core_helpers import get_site_preferences, objectgetter_optional

 from .filters import EventFilter, EventRegistrationFilter, VoucherFilter
@@ -134,13 +135,13 @@ def generate_lists(request: HttpRequest) -> HttpResponse:
    return render(request, "paweljong/print/manage.html", context)


-@permission_required("paweljong.view_registrations")
+@permission_required("paweljong.view_registrations_rule")
 def registrations(request: HttpRequest) -> HttpResponse:
    """List view listing all registrations."""
    context = {}

    # Get all registrations
-    registrations = EventRegistration.objects.all()
+    registrations = queryset_rules_filter(request.user, EventRegistration.objects.all(), "paweljong.manage_registrations_rule")

    # Get filter
    registrations_filter = EventRegistrationFilter(request.GET, queryset=registrations)
@@ -219,7 +220,7 @@ class EventRegistrationDetailView(PermissionRequiredMixin, DetailView):
    """Detail view for an application instance."""

    context_object_name = "registration"
-    permission_required = "paweljong.view_registration"
+    permission_required = "paweljong.manage_registrations_rule"
    template_name = "paweljong/event_registration/full.html"

    def get_queryset(self):