From 6b8361aadd86de6fdad08bf486620daa635fc696 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jean-S=C3=A9bastien=20Caux?= <git@jscaux.org>
Date: Mon, 31 Jan 2022 07:59:32 +0100
Subject: [PATCH] Improve logic for nomination view access

---
 scipost_django/colleges/permissions.py        | 24 ++++++++++---------
 .../colleges/_hx_nomination_form.html         | 20 +++++++++-------
 .../templates/colleges/_hx_nominations.html   |  2 +-
 .../templates/colleges/nominations.html       |  6 ++---
 scipost_django/colleges/views.py              | 10 ++++----
 5 files changed, 33 insertions(+), 29 deletions(-)

diff --git a/scipost_django/colleges/permissions.py b/scipost_django/colleges/permissions.py
index d61409bc5..394b35c34 100644
--- a/scipost_django/colleges/permissions.py
+++ b/scipost_django/colleges/permissions.py
@@ -35,18 +35,20 @@ def fellowship_or_admin_required():
     return user_passes_test(test)
 
 
+def is_edadmin_or_advisory_or_active_regular_or_senior_fellow(user):
+    return (user.groups.filter(name='Editorial Administrators').exists() or
+            user.groups.filter(name='Advisory Board').exists() or
+            Fellowship.objects.active().regular_or_senior().filter(
+                contributor__user=user).exists())
+
+
 def is_edadmin_or_active_regular_or_senior_fellow(user):
-    if not user.has_perm('scipost.can_run_pre_screening'):
-        return Fellowship.objects.active().regular_or_senior(
-        ).filter(contributor__user=user).exists()
-    return True
+    return (user.groups.filter(name='Editorial Administrators').exists() or
+            Fellowship.objects.active().regular_or_senior().filter(
+                contributor__user=user).exists())
 
 
 def is_edadmin_or_senior_fellow(user):
-    if not user.has_perm('scipost.can_run_pre_screening'):
-        try:
-            fellow = Fellowship.objects.active().get(contributor__user=user)
-            return fellow.senior
-        except:
-            return False
-    return True
+    return (user.groups.filter(name='Editorial Administrators').exists() or
+            Fellowship.objects.active().senior().filter(
+                contributor__user=user).exists())
diff --git a/scipost_django/colleges/templates/colleges/_hx_nomination_form.html b/scipost_django/colleges/templates/colleges/_hx_nomination_form.html
index 97de4a203..876a069a9 100644
--- a/scipost_django/colleges/templates/colleges/_hx_nomination_form.html
+++ b/scipost_django/colleges/templates/colleges/_hx_nomination_form.html
@@ -1,10 +1,12 @@
 {% load crispy_forms_tags %}
-<h3>Nomination to Fellowship:&emsp;<span class="bg-success bg-opacity-25 p-2"><em>{{ profile }}</em></span></h3>
-<form
-    hx-post="{% url 'colleges:_hx_nomination_form' profile_id=profile.pk %}"
-    hx-target="#nomination_form_response"
-    hx-indicator="#nomination_form_response-indicator"
->
-  {% csrf_token %}
-  {% crispy nomination_form %}
-</form>
+<div class="m-2 p-4 border border-warning">
+  <h3>Nomination to Fellowship:&emsp;<span class="bg-success bg-opacity-25 p-2"><em>{{ profile }}</em></span></h3>
+  <form
+      hx-post="{% url 'colleges:_hx_nomination_form' profile_id=profile.pk %}"
+      hx-target="#nomination_form_response"
+      hx-indicator="#nomination_form_response-indicator"
+  >
+    {% csrf_token %}
+    {% crispy nomination_form %}
+  </form>
+</div>
diff --git a/scipost_django/colleges/templates/colleges/_hx_nominations.html b/scipost_django/colleges/templates/colleges/_hx_nominations.html
index 1265eec30..6ba5b622f 100644
--- a/scipost_django/colleges/templates/colleges/_hx_nominations.html
+++ b/scipost_django/colleges/templates/colleges/_hx_nominations.html
@@ -7,7 +7,7 @@
 {% endfor %}
 {% if page_obj.has_next %}
   <li hx-post="{% url 'colleges:_hx_nominations' %}?page={{ page_obj.next_page_number }}"
-      hx-include="#search-form"
+      hx-include="#search-nominations-form"
       hx-trigger="revealed"
       hx-swap="afterend"
       hx-indicator="#indicator-search-page-{{ page_obj.number }}"
diff --git a/scipost_django/colleges/templates/colleges/nominations.html b/scipost_django/colleges/templates/colleges/nominations.html
index ebe0d1ec3..893d52f4f 100644
--- a/scipost_django/colleges/templates/colleges/nominations.html
+++ b/scipost_django/colleges/templates/colleges/nominations.html
@@ -16,7 +16,7 @@
 
   {% is_ed_admin request.user as is_ed_admin %}
 
-  <h1 class="highlight">Fellowship Nominations<span class="text-danger ms-4">{% include 'bi/cone-striped.html' %}[in construction]</span></h1>
+  <h1 class="highlight">Fellowship Nominations<span class="text-danger ms-4">{% include 'bi/cone-striped.html' %}<em>in construction</em>&nbsp;{% include 'bi/cone-striped.html' %}</span></h1>
 
   <p>Consult the
     <a href="{% url 'submissions:monitor' %}" target="_blank">Submissions Monitor</a> page.
@@ -36,7 +36,8 @@
 	  <h3>Procedure</h3>
 	  <ul>
 	    <li>Type your search query in the search form</li>
-	    <li>When the name you're looking for appears in the list of matches, double-click on it</li>
+	    <li>When the name you're looking for appears in the
+	      <em>Matching profiles</em> list, double-click on it</li>
 	    <li>The nomination form will appear below</li>
 	    <li>Non-eligibility flags (if any) will appear</li>
 	    <li>If eligible, fill the form in (comments are optional)</li>
@@ -50,7 +51,6 @@
 		  hx-target="#profile_dynsel_results"
 		  hx-indicator="#profile_dynsel_results-indicator"
 	      >
-		{% csrf_token %}
 		<div id="profile_dynsel_form">{% crispy profile_dynsel_form %}</div>
 	      </form>
 	    </div>
diff --git a/scipost_django/colleges/views.py b/scipost_django/colleges/views.py
index b6471f886..e96e3d3ad 100644
--- a/scipost_django/colleges/views.py
+++ b/scipost_django/colleges/views.py
@@ -19,7 +19,7 @@ from django.views.generic.edit import CreateView, UpdateView, DeleteView
 from django.views.generic.list import ListView
 
 from colleges.permissions import (
-    is_edadmin_or_senior_fellow, is_edadmin_or_active_regular_or_senior_fellow
+    is_edadmin_or_senior_fellow, is_edadmin_or_advisory_or_active_regular_or_senior_fellow
 )
 from colleges.utils import check_profile_eligibility_for_fellowship
 from submissions.models import Submission
@@ -536,7 +536,7 @@ class PotentialFellowshipEventCreateView(PermissionsMixin, CreateView):
 ###############
 
 
-@user_passes_test(is_edadmin_or_active_regular_or_senior_fellow)
+@user_passes_test(is_edadmin_or_advisory_or_active_regular_or_senior_fellow)
 def nominations(request):
     """
     List Nominations.
@@ -555,7 +555,7 @@ def nominations(request):
     return render(request, 'colleges/nominations.html', context)
 
 
-@user_passes_test(is_edadmin_or_active_regular_or_senior_fellow)
+@user_passes_test(is_edadmin_or_advisory_or_active_regular_or_senior_fellow)
 def _hx_nomination_form(request, profile_id):
     profile = get_object_or_404(Profile, pk=profile_id)
     failed_eligibility_criteria = check_profile_eligibility_for_fellowship(profile)
@@ -585,7 +585,7 @@ def _hx_nomination_form(request, profile_id):
     return render(request, 'colleges/_hx_nomination_form.html', context)
 
 
-@user_passes_test(is_edadmin_or_active_regular_or_senior_fellow)
+@user_passes_test(is_edadmin_or_advisory_or_active_regular_or_senior_fellow)
 def _hx_nominations(request):
     form = FellowshipNominationSearchForm(request.POST or None)
     if form.is_valid():
@@ -599,7 +599,7 @@ def _hx_nominations(request):
     return render(request, 'colleges/_hx_nominations.html', context)
 
 
-@user_passes_test(is_edadmin_or_active_regular_or_senior_fellow)
+@user_passes_test(is_edadmin_or_advisory_or_active_regular_or_senior_fellow)
 def _hx_nomination_voting_rounds(request):
     fellowship = request.user.contributor.session_fellowship(request)
     filters = request.GET.get('filters', None)
-- 
GitLab