Fix permissions going wrong on production

b7cdcf96 · Jorran de Wit · cbf56ecd · b7cdcf96 · b7cdcf96
Commit b7cdcf96 authored 7 years ago by Jorran de Wit
--- a/production/templates/production/partials/production_stream_card.html
+++ b/production/templates/production/partials/production_stream_card.html
@@ -9,37 +9,39 @@
  <h3>Events</h3>
  {% include 'production/partials/production_events.html' with events=stream.events.all %}
-  {% if perms.scipost.can_publish_accepted_submission or perms.scipost.can_assign_production_supervisor or "can_perform_supervisory_actions" in sub_perms %}
+    {% if "can_work_for_stream" in sub_perms %}
-      <h3>Actions</h3>
+      {% if perms.scipost.can_publish_accepted_submission or perms.scipost.can_assign_production_supervisor and perms.scipost.can_assign_production_officer %}
-      <ul>
+          <h3>Actions</h3>
-          {% if perms.scipost.can_assign_production_supervisor and assign_supervisor_form %}
+          <ul>
-              <li>
+              {% if perms.scipost.can_assign_production_supervisor and assign_supervisor_form %}
-                  <a href="javascript:;" data-toggle="toggle" data-target="#add_supervisor_{{stream.id}}">Assign Production Supervisor to this stream</a>
+                  <li>
-                  <div id="add_supervisor_{{stream.id}}" style="display: none;">
+                      <a href="javascript:;" data-toggle="toggle" data-target="#add_supervisor_{{stream.id}}">Assign Production Supervisor to this stream</a>
-                      <form class="my-3" action="{% url 'production:add_supervisor' stream_id=stream.id %}" method="post">
+                      <div id="add_supervisor_{{stream.id}}" style="display: none;">
-                          {% csrf_token %}
+                          <form class="my-3" action="{% url 'production:add_supervisor' stream_id=stream.id %}" method="post">
-                          {{ assign_supervisor_form|bootstrap_inline }}
+                              {% csrf_token %}
-                          <input type="submit" class="btn btn-outline-primary" name="submit" value="Add officer">
+                              {{ assign_supervisor_form|bootstrap_inline }}
-                      </form>
+                              <input type="submit" class="btn btn-outline-primary" name="submit" value="Add officer">
-                  </div>
+                          </form>
-              </li>
+                      </div>
-          {% endif %}
+                  </li>
-          {% if "can_perform_supervisory_actions" in sub_perms and assign_officer_form %}
+              {% endif %}
-            <li>
+              {% if perms.scipost.can_assign_production_officer and assign_officer_form %}
-                <a href="javascript:;" data-toggle="toggle" data-target="#add_officer_{{stream.id}}">Assign Production Officer to this stream</a>
+                <li>
-                <div id="add_officer_{{stream.id}}" style="display: none;">
+                    <a href="javascript:;" data-toggle="toggle" data-target="#add_officer_{{stream.id}}">Assign Production Officer to this stream</a>
-                    <form class="my-3" action="{% url 'production:add_officer' stream_id=stream.id %}" method="post">
+                    <div id="add_officer_{{stream.id}}" style="display: none;">
-                      	{% csrf_token %}
+                        <form class="my-3" action="{% url 'production:add_officer' stream_id=stream.id %}" method="post">
-                      	{{ assign_officer_form|bootstrap_inline }}
+                          	{% csrf_token %}
-                      	<input type="submit" class="btn btn-outline-primary" name="submit" value="Add officer">
+                          	{{ assign_officer_form|bootstrap_inline }}
-                    </form>
+                          	<input type="submit" class="btn btn-outline-primary" name="submit" value="Add officer">
-                </div>
+                        </form>
-            </li>
+                    </div>
-          {% endif %}
+                </li>
-          {% if perms.scipost.can_publish_accepted_submission %}
+              {% endif %}
-            <li><a href="{% url 'production:mark_as_completed' stream_id=stream.id %}">Mark this stream as completed</a></li>
+              {% if perms.scipost.can_publish_accepted_submission %}
-          {% endif %}
+                <li><a href="{% url 'production:mark_as_completed' stream_id=stream.id %}">Mark this stream as completed</a></li>
-      </ul>
+              {% endif %}
+          </ul>
+      {% endif %}
  {% endif %}
 {% endblock %}
@@ -57,7 +59,7 @@
    <li>Production Officer:
          {% if stream.officer %}
              <strong>{{ stream.officer }}</strong>
-              {% if "can_perform_supervisory_actions" in sub_perms %}
+              {% if perms.scipost.can_assign_production_officer and "can_work_for_stream" in sub_perms %}
                  &middot; <a href="{% url 'production:remove_officer' stream_id=stream.id officer_id=stream.officer.id %}" class="text-danger">Remove from stream</a>
              {% endif %}
          {% else %}

--- a/production/views.py
+++ b/production/views.py
@@ -112,7 +112,7 @@ def add_event(request, stream_id):
 def add_officer(request, stream_id):
    stream = get_object_or_404(ProductionStream.objects.ongoing(), pk=stream_id)
    checker = ObjectPermissionChecker(request.user)
-    if not checker.has_perm('can_perform_supervisory_actions', stream):
+    if not checker.has_perm('can_work_for_stream', stream) or not request.user.has_perm('scipost.can_assign_production_officer'):
        return redirect(reverse('production:production'))
    form = AssignOfficerForm(request.POST or None, instance=stream)
@@ -133,7 +133,7 @@ def add_officer(request, stream_id):
 def remove_officer(request, stream_id, officer_id):
    stream = get_object_or_404(ProductionStream.objects.ongoing(), pk=stream_id)
    checker = ObjectPermissionChecker(request.user)
-    if not checker.has_perm('can_perform_supervisory_actions', stream):
+    if not checker.has_perm('can_work_for_stream', stream) or not request.user.has_perm('scipost.can_assign_production_officer'):
        return redirect(reverse('production:production'))
    if getattr(stream.officer, 'id', 0) == int(officer_id):
@@ -158,7 +158,7 @@ def add_supervisor(request, stream_id):
        messages.success(request, 'Supervisor {supervisor} has been assigned.'.format(
            supervisor=supervisor))
        notify_new_stream_assignment(request.user, stream, supervisor.user)
-        assign_perm('can_perform_supervisory_actions', supervisor.user, stream)
+        # assign_perm('can_perform_supervisory_actions', supervisor.user, stream)
    else:
        for key, error in form.errors.items():
            messages.warning(request, error[0])