From a0d5a3346bdc78dc971da080e7eabfb3d258e2c7 Mon Sep 17 00:00:00 2001
From: "J.-S. Caux" <J.S.Caux@uva.nl>
Date: Mon, 12 Nov 2018 10:23:45 +0100
Subject: [PATCH] Ensure org details are only viewable if public

---
 finances/templates/finances/_subsidy_card.html | 2 +-
 organizations/models.py                        | 7 ++++++-
 organizations/views.py                         | 9 +++++++++
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/finances/templates/finances/_subsidy_card.html b/finances/templates/finances/_subsidy_card.html
index d3e0a2291..21b131fbc 100644
--- a/finances/templates/finances/_subsidy_card.html
+++ b/finances/templates/finances/_subsidy_card.html
@@ -16,7 +16,7 @@
 
       <table class="table">
 	<tr>
-	  <td>From:</td><td><a href="{{ subsidy.organization.get_absolute_url }}">{{ subsidy.organization }}</a></td>
+	  <td>From:</td><td>{% if subsidy.organization.details_publicly_viewable or perms.scipost.can_manage_organizations %}<a href="{{ subsidy.organization.get_absolute_url }}">{{ subsidy.organization }}</a>{% else %}{{ subsidy.organization }}{% endif %}</td>
 	</tr>
 	<tr>
 	  <td>Type:</td><td>{{ subsidy.get_subsidy_type_display }}</td>
diff --git a/organizations/models.py b/organizations/models.py
index f47a81b12..291f8203e 100644
--- a/organizations/models.py
+++ b/organizations/models.py
@@ -12,7 +12,8 @@ from django.urls import reverse
 
 from django_countries.fields import CountryField
 
-from .constants import ORGANIZATION_TYPES, ORGANIZATION_STATUSES, ORGSTATUS_ACTIVE
+from .constants import ORGANIZATION_TYPES, ORGTYPE_PRIVATE_BENEFACTOR,\
+    ORGANIZATION_STATUSES, ORGSTATUS_ACTIVE
 from .managers import OrganizationQuerySet
 
 from scipost.models import Contributor
@@ -90,6 +91,10 @@ class Organization(models.Model):
     def get_absolute_url(self):
         return reverse('organizations:organization_details', kwargs = {'pk': self.id})
 
+    @property
+    def details_publicly_viewable(self):
+        return self.orgtype != ORGTYPE_PRIVATE_BENEFACTOR
+
     def get_publications(self):
         org_and_children_ids = [k['id'] for k in list(self.children.all().values('id'))]
         org_and_children_ids += [self.id]
diff --git a/organizations/views.py b/organizations/views.py
index d145686b9..30dfbff9c 100644
--- a/organizations/views.py
+++ b/organizations/views.py
@@ -81,3 +81,12 @@ class OrganizationDetailView(DetailView):
         context = super().get_context_data(*args, **kwargs)
         context['pubyears'] = range(int(timezone.now().strftime('%Y')), 2015, -1)
         return context
+
+    def get_queryset(self):
+        """
+        Restrict view to permitted people if Organization details not publicly viewable.
+        """
+        queryset = super().get_queryset()
+        if not self.request.user.has_perm('scipost.can_manage_organizations'):
+            queryset = queryset.exclude(orgtype=ORGTYPE_PRIVATE_BENEFACTOR)
+        return queryset
-- 
GitLab