From f74fd1d5b606458fa1cf18262b4ed1ddb98b2d15 Mon Sep 17 00:00:00 2001
From: George Katsikas <giorgakis.katsikas@gmail.com>
Date: Wed, 15 Nov 2023 14:06:47 +0100
Subject: [PATCH] forbid non-seniors from nomination vote details

---
 scipost_django/colleges/forms.py             |  1 -
 scipost_django/colleges/managers.py          |  7 ++++++-
 scipost_django/colleges/models/nomination.py | 16 ++++++++++++++--
 scipost_django/colleges/views.py             | 13 +++++++------
 4 files changed, 27 insertions(+), 10 deletions(-)

diff --git a/scipost_django/colleges/forms.py b/scipost_django/colleges/forms.py
index a12602e9c..1c9fa9c47 100644
--- a/scipost_django/colleges/forms.py
+++ b/scipost_django/colleges/forms.py
@@ -681,7 +681,6 @@ class FellowshipNominationSearchForm(forms.Form):
         )
 
         if self.cleaned_data.get("can_vote"):
-            # or not self.user.has_perm("scipost.can_view_all_nomination_voting_rounds"):
             # Restrict rounds to those the user can vote on
             nominations = nominations.with_user_votable_rounds(self.user).distinct()
 
diff --git a/scipost_django/colleges/managers.py b/scipost_django/colleges/managers.py
index 5d2e0ef96..f26a593bc 100644
--- a/scipost_django/colleges/managers.py
+++ b/scipost_django/colleges/managers.py
@@ -146,9 +146,14 @@ class FellowshipNominationQuerySet(models.QuerySet):
         )
 
     def with_user_votable_rounds(self, user):
-        # votable_rounds = self.voting_rounds.where_user_can_vote(user)
+        # Get colleges of senior fellowships of user so that non-senior fellows
+        # cannot vote despite being on the eligible_to_vote list.
+        user_senior_fellowship_colleges = (
+            user.contributor.fellowships.senior().active().values("college")
+        )
         return self.filter(
             Q(voting_rounds__eligible_to_vote__in=user.contributor.fellowships.active())
+            & Q(voting_rounds__nomination__college__in=user_senior_fellowship_colleges)
         )
 
 
diff --git a/scipost_django/colleges/models/nomination.py b/scipost_django/colleges/models/nomination.py
index 1f289db9f..3a6cf2c23 100644
--- a/scipost_django/colleges/models/nomination.py
+++ b/scipost_django/colleges/models/nomination.py
@@ -266,7 +266,19 @@ class FellowshipNominationVotingRound(models.Model):
 
     def can_view(self, user) -> bool:
         """Return whether the user can view this voting round.
-        They must be authenticated and have voting eligibility or be edadmin."""
+        They must either be edadmin or all of the following:
+         - authenticated
+         - a senior fellow in the nomination's college and
+         - have voting eligibility in the round."""
+
+        if not user.is_authenticated:
+            return False
+
+        if is_edadmin(user):
+            return True
+
+        fellowships = user.contributor.fellowships.active().senior()
+        senior_in_college = self.nomination.college in fellowships.values("college")
 
         eligibility_per_fellowship = [
             fellowship in self.eligible_to_vote.all()
@@ -274,7 +286,7 @@ class FellowshipNominationVotingRound(models.Model):
         ]
         eligible_to_vote = any(eligibility_per_fellowship)
 
-        return user.is_authenticated and (eligible_to_vote or is_edadmin(user))
+        return senior_in_college and eligible_to_vote
 
 
 class FellowshipNominationVote(models.Model):
diff --git a/scipost_django/colleges/views.py b/scipost_django/colleges/views.py
index e555df159..85ad66d20 100644
--- a/scipost_django/colleges/views.py
+++ b/scipost_django/colleges/views.py
@@ -28,7 +28,7 @@ from colleges.permissions import (
     is_edadmin_or_advisory_or_active_regular_or_senior_fellow,
 )
 from colleges.utils import check_profile_eligibility_for_fellowship
-from scipost.permissions import HTMXResponse
+from scipost.permissions import HTMXPermissionsDenied, HTMXResponse
 from submissions.models import Submission
 
 from .constants import (
@@ -802,8 +802,6 @@ def _hx_nominations_list(request):
     return render(request, "colleges/_hx_nominations_list.html", context)
 
 
-@login_required
-@user_passes_test(is_edadmin_or_advisory_or_active_regular_or_senior_fellow)
 def _hx_nomination_voting_rounds_tab(request, nomination_id, round_id):
     """Render the selected voting round contents and display the others as tabs."""
     nomination = get_object_or_404(FellowshipNomination, pk=nomination_id)
@@ -1167,8 +1165,6 @@ def _hx_nomination_round_add_eligible_voter_set(request, round_id, voter_set_nam
     )
 
 
-@login_required
-@user_passes_test(is_edadmin_or_senior_fellow)
 def _hx_voting_round_details(request, round_id):
     round = get_object_or_404(FellowshipNominationVotingRound, pk=round_id)
     context = {
@@ -1176,7 +1172,12 @@ def _hx_voting_round_details(request, round_id):
     }
 
     if not round.can_view(request.user):
-        return HTMXResponse("You are not allowed to view this round.", tag="danger")
+        return HTMXResponse(
+            "You are not allowed to vote in this round. ",
+            # "This may be because you are not a senior Fellow of the College "
+            # "or because you may not have been invited to vote in it.",
+            tag="danger",
+        )
 
     if not round.is_closed:
         voter_add_form = FellowshipDynSelForm(
-- 
GitLab