From f2788657bea30e063fbc48c48fb399e94800d995 Mon Sep 17 00:00:00 2001
From: George Katsikas <giorgakis.katsikas@gmail.com>
Date: Mon, 18 Mar 2024 12:36:25 +0100
Subject: [PATCH] add permissions for viewing and creating notes

---
 .../pins/templates/pins/_hx_notes_list.html   | 46 +++++++++++--------
 scipost_django/pins/views.py                  | 17 ++++++-
 .../commands/add_groups_and_permissions.py    | 10 ++++
 3 files changed, 53 insertions(+), 20 deletions(-)

diff --git a/scipost_django/pins/templates/pins/_hx_notes_list.html b/scipost_django/pins/templates/pins/_hx_notes_list.html
index 81e183ba3..c3ac5f03e 100644
--- a/scipost_django/pins/templates/pins/_hx_notes_list.html
+++ b/scipost_django/pins/templates/pins/_hx_notes_list.html
@@ -1,25 +1,35 @@
 {% load scipost_extras %}
 
+<!-- Loader / Update Wrapper -->
 <div class="row" 
-     hx-get="{% url "pins:_hx_notes_list" object|content_type_id object.id %}" 
-     hx-trigger="notes-updated from:body target:form delay:2s, {% if notes is None %}load{% endif %}" 
-     hx-swap="outerHTML">
-  <div class="col-12">
-    <h3>Notes</h3>
-
-    <div>
-      <button class="btn btn-light btn-sm"
-              hx-get="{% url "pins:_hx_note_create_form" object|content_type_id object.id %}"
-              hx-target="closest div">Add note</button>
-    </div>
+    hx-get="{% url "pins:_hx_notes_list" object|content_type_id object.id %}" 
+    hx-trigger="notes-updated from:body target:form delay:1s, {% if notes is None %}load{% endif %}" 
+    hx-swap="outerHTML">
+<!-- Loader / Update Wrapper -->  
+
+  {% if can_create_notes or notes %}
+    <div class="col-12">
+      <h3>Notes</h3>
+
+      {% if can_create_notes %}
+        <div>
+          <button class="btn btn-light btn-sm"
+          hx-get="{% url "pins:_hx_note_create_form" object|content_type_id object.id %}"
+          hx-target="closest div">Add note</button>
+        </div>
+      {% endif %}
 
-    <ul>
-      
-      {% for note in notes %}
-        <li>{% include "pins/_hx_note_item.html" %}</li>
-      {% endfor %}
+      <ul>
 
-    </ul>
+        {% for note in notes %}
+          <li>{% include "pins/_hx_note_item.html" %}</li>
+        {% empty %}
+          <li>No notes exist for this {{ object|object_name }}</li>
+        {% endfor %}
+
+      </ul>
+
+    </div>
+  {% endif %}
 
-  </div>
 </div>
diff --git a/scipost_django/pins/views.py b/scipost_django/pins/views.py
index 483d3540f..963f1b425 100644
--- a/scipost_django/pins/views.py
+++ b/scipost_django/pins/views.py
@@ -2,6 +2,7 @@ __copyright__ = "Copyright © Stichting SciPost (SciPost Foundation)"
 __license__ = "AGPL v3"
 
 from django.contrib.contenttypes.models import ContentType
+from django.db.models import Q
 from django.template.response import TemplateResponse
 
 from scipost.permissions import HTMXResponse
@@ -39,11 +40,23 @@ def _hx_notes_list(request, regarding_content_type, regarding_object_id):
         regarding_object_id=regarding_object_id,
     )
 
-    # TODO: Filter to the notes that the user has permission to see
-    # ...
+    # Handle permission checks for viewing and creating notes
+    can_create_notes = request.user.has_perm("pins.can_add_notes")
+
+    # Filter non-author users from viewing private notes
+    notes = notes.exclude(
+        Q(visibility=Note.VISIBILITY_PRIVATE) & ~Q(author=request.user.contributor)
+    )
+
+    # Filter out internal notes unless the user has the default "manager"
+    # permission for the given object, e.g. "can_manage_subsidies"
+    model_plural = (object._meta.verbose_name_plural or "").lower()
+    if not request.user.has_perm(f"pins.can_manage_{model_plural}"):
+        notes = notes.exclude(visibility=Note.VISIBILITY_INTERNAL)
 
     context = {
         "object": object,
+        "can_create_notes": can_create_notes,
         "notes": notes,
     }
     return TemplateResponse(request, "pins/_hx_notes_list.html", context)
diff --git a/scipost_django/scipost/management/commands/add_groups_and_permissions.py b/scipost_django/scipost/management/commands/add_groups_and_permissions.py
index 3c4721121..4ceacdc5e 100644
--- a/scipost_django/scipost/management/commands/add_groups_and_permissions.py
+++ b/scipost_django/scipost/management/commands/add_groups_and_permissions.py
@@ -471,6 +471,13 @@ class Command(BaseCommand):
             content_type=content_type,
         )
 
+        # Pins and Notes
+        can_add_notes, created = Permission.objects.get_or_create(
+            code_name="can_add_notes",
+            name="Can add notes",
+            content_type=content_type,
+        )
+
         # Assign permissions to groups
         SciPostAdmin.permissions.set(
             [
@@ -515,6 +522,7 @@ class Command(BaseCommand):
                 can_preview_new_features,
                 can_view_all_nomination_voting_rounds,
                 can_view_fellowships_monitor,
+                can_add_notes,
             ]
         )
 
@@ -523,6 +531,7 @@ class Command(BaseCommand):
                 can_manage_organizations,
                 can_manage_subsidies,
                 can_view_timesheets,
+                can_add_notes,
             ]
         )
 
@@ -585,6 +594,7 @@ class Command(BaseCommand):
                 can_preview_new_features,
                 can_view_all_nomination_voting_rounds,
                 can_view_fellowships_monitor,
+                can_add_notes,
             ]
         )
 
-- 
GitLab