From b7cdcf96bf39b02c65d0138534fa1a8898636c91 Mon Sep 17 00:00:00 2001
From: Jorran de Wit <jorrandewit@outlook.com>
Date: Tue, 3 Oct 2017 15:12:44 +0200
Subject: [PATCH] Fix permissions going wrong on production
---
.../partials/production_stream_card.html | 66 ++++++++++---------
production/views.py | 6 +-
2 files changed, 37 insertions(+), 35 deletions(-)
diff --git a/production/templates/production/partials/production_stream_card.html b/production/templates/production/partials/production_stream_card.html
index f1f88a568..f174556e1 100644
--- a/production/templates/production/partials/production_stream_card.html
+++ b/production/templates/production/partials/production_stream_card.html
@@ -9,37 +9,39 @@
<h3>Events</h3>
{% include 'production/partials/production_events.html' with events=stream.events.all %}
- {% if perms.scipost.can_publish_accepted_submission or perms.scipost.can_assign_production_supervisor or "can_perform_supervisory_actions" in sub_perms %}
- <h3>Actions</h3>
- <ul>
- {% if perms.scipost.can_assign_production_supervisor and assign_supervisor_form %}
- <li>
- <a href="javascript:;" data-toggle="toggle" data-target="#add_supervisor_{{stream.id}}">Assign Production Supervisor to this stream</a>
- <div id="add_supervisor_{{stream.id}}" style="display: none;">
- <form class="my-3" action="{% url 'production:add_supervisor' stream_id=stream.id %}" method="post">
- {% csrf_token %}
- {{ assign_supervisor_form|bootstrap_inline }}
- <input type="submit" class="btn btn-outline-primary" name="submit" value="Add officer">
- </form>
- </div>
- </li>
- {% endif %}
- {% if "can_perform_supervisory_actions" in sub_perms and assign_officer_form %}
- <li>
- <a href="javascript:;" data-toggle="toggle" data-target="#add_officer_{{stream.id}}">Assign Production Officer to this stream</a>
- <div id="add_officer_{{stream.id}}" style="display: none;">
- <form class="my-3" action="{% url 'production:add_officer' stream_id=stream.id %}" method="post">
- {% csrf_token %}
- {{ assign_officer_form|bootstrap_inline }}
- <input type="submit" class="btn btn-outline-primary" name="submit" value="Add officer">
- </form>
- </div>
- </li>
- {% endif %}
- {% if perms.scipost.can_publish_accepted_submission %}
- <li><a href="{% url 'production:mark_as_completed' stream_id=stream.id %}">Mark this stream as completed</a></li>
- {% endif %}
- </ul>
+ {% if "can_work_for_stream" in sub_perms %}
+ {% if perms.scipost.can_publish_accepted_submission or perms.scipost.can_assign_production_supervisor and perms.scipost.can_assign_production_officer %}
+ <h3>Actions</h3>
+ <ul>
+ {% if perms.scipost.can_assign_production_supervisor and assign_supervisor_form %}
+ <li>
+ <a href="javascript:;" data-toggle="toggle" data-target="#add_supervisor_{{stream.id}}">Assign Production Supervisor to this stream</a>
+ <div id="add_supervisor_{{stream.id}}" style="display: none;">
+ <form class="my-3" action="{% url 'production:add_supervisor' stream_id=stream.id %}" method="post">
+ {% csrf_token %}
+ {{ assign_supervisor_form|bootstrap_inline }}
+ <input type="submit" class="btn btn-outline-primary" name="submit" value="Add officer">
+ </form>
+ </div>
+ </li>
+ {% endif %}
+ {% if perms.scipost.can_assign_production_officer and assign_officer_form %}
+ <li>
+ <a href="javascript:;" data-toggle="toggle" data-target="#add_officer_{{stream.id}}">Assign Production Officer to this stream</a>
+ <div id="add_officer_{{stream.id}}" style="display: none;">
+ <form class="my-3" action="{% url 'production:add_officer' stream_id=stream.id %}" method="post">
+ {% csrf_token %}
+ {{ assign_officer_form|bootstrap_inline }}
+ <input type="submit" class="btn btn-outline-primary" name="submit" value="Add officer">
+ </form>
+ </div>
+ </li>
+ {% endif %}
+ {% if perms.scipost.can_publish_accepted_submission %}
+ <li><a href="{% url 'production:mark_as_completed' stream_id=stream.id %}">Mark this stream as completed</a></li>
+ {% endif %}
+ </ul>
+ {% endif %}
{% endif %}
{% endblock %}
@@ -57,7 +59,7 @@
<li>Production Officer:
{% if stream.officer %}
<strong>{{ stream.officer }}</strong>
- {% if "can_perform_supervisory_actions" in sub_perms %}
+ {% if perms.scipost.can_assign_production_officer and "can_work_for_stream" in sub_perms %}
· <a href="{% url 'production:remove_officer' stream_id=stream.id officer_id=stream.officer.id %}" class="text-danger">Remove from stream</a>
{% endif %}
{% else %}
diff --git a/production/views.py b/production/views.py
index bcafcdbe0..32d47a41a 100644
--- a/production/views.py
+++ b/production/views.py
@@ -112,7 +112,7 @@ def add_event(request, stream_id):
def add_officer(request, stream_id):
stream = get_object_or_404(ProductionStream.objects.ongoing(), pk=stream_id)
checker = ObjectPermissionChecker(request.user)
- if not checker.has_perm('can_perform_supervisory_actions', stream):
+ if not checker.has_perm('can_work_for_stream', stream) or not request.user.has_perm('scipost.can_assign_production_officer'):
return redirect(reverse('production:production'))
form = AssignOfficerForm(request.POST or None, instance=stream)
@@ -133,7 +133,7 @@ def add_officer(request, stream_id):
def remove_officer(request, stream_id, officer_id):
stream = get_object_or_404(ProductionStream.objects.ongoing(), pk=stream_id)
checker = ObjectPermissionChecker(request.user)
- if not checker.has_perm('can_perform_supervisory_actions', stream):
+ if not checker.has_perm('can_work_for_stream', stream) or not request.user.has_perm('scipost.can_assign_production_officer'):
return redirect(reverse('production:production'))
if getattr(stream.officer, 'id', 0) == int(officer_id):
@@ -158,7 +158,7 @@ def add_supervisor(request, stream_id):
messages.success(request, 'Supervisor {supervisor} has been assigned.'.format(
supervisor=supervisor))
notify_new_stream_assignment(request.user, stream, supervisor.user)
- assign_perm('can_perform_supervisory_actions', supervisor.user, stream)
+ # assign_perm('can_perform_supervisory_actions', supervisor.user, stream)
else:
for key, error in form.errors.items():
messages.warning(request, error[0])
--
GitLab