From c39f2bea00d161c98a55834e1a6bfc6d02ca5530 Mon Sep 17 00:00:00 2001 From: Valentin Deniaud Date: Thu, 16 Sep 2021 12:05:52 +0200 Subject: [PATCH] manager: allow viewing resources of editable agenda (#56977) --- chrono/agendas/models.py | 6 +++++ .../chrono/manager_resource_detail.html | 2 ++ chrono/manager/views.py | 11 +++++---- tests/manager/test_resource.py | 24 +++++++++++++++++++ 4 files changed, 38 insertions(+), 5 deletions(-) diff --git a/chrono/agendas/models.py b/chrono/agendas/models.py index 94d604b1..0d95882d 100644 --- a/chrono/agendas/models.py +++ b/chrono/agendas/models.py @@ -2078,6 +2078,12 @@ class Resource(models.Model): def base_slug(self): return slugify(self.label) + def can_be_viewed(self, user): + if user.is_staff: + return True + group_ids = [x.id for x in user.groups.all()] + return self.agenda_set.filter(edit_role_id__in=group_ids).exists() + class Category(models.Model): slug = models.SlugField(_('Identifier'), max_length=160, unique=True) diff --git a/chrono/manager/templates/chrono/manager_resource_detail.html b/chrono/manager/templates/chrono/manager_resource_detail.html index 5348c8f0..68f89550 100644 --- a/chrono/manager/templates/chrono/manager_resource_detail.html +++ b/chrono/manager/templates/chrono/manager_resource_detail.html @@ -16,8 +16,10 @@ {% endblock %} {% block appbar-extras %} +{% if request.user.is_staff %} {% trans 'Edit' %} {% trans 'Delete' %} +{% endif %} {% now "Y" as today_year %} {% now "n" as today_month %} {% now "j" as today_day %} diff --git a/chrono/manager/views.py b/chrono/manager/views.py index 7baf3f39..67ce5e5b 100644 --- a/chrono/manager/views.py +++ b/chrono/manager/views.py @@ -178,7 +178,8 @@ class ResourceDetailView(DetailView): model = Resource def dispatch(self, request, *args, **kwargs): - if not request.user.is_staff: + resource = self.get_object() + if not resource.can_be_viewed(request.user): raise PermissionDenied() return super().dispatch(request, *args, **kwargs) @@ -212,9 +213,9 @@ class ResourceDayView(DateMixin, DayArchiveView): allow_future = True def dispatch(self, request, *args, **kwargs): - if not request.user.is_staff: - raise PermissionDenied() self.resource = get_object_or_404(Resource, pk=kwargs['pk']) + if not self.resource.can_be_viewed(request.user): + raise PermissionDenied() # specify 6am time to get the expected timezone on daylight saving time # days. try: @@ -339,9 +340,9 @@ class ResourceMonthView(DateMixin, MonthArchiveView): allow_future = True def dispatch(self, request, *args, **kwargs): - if not request.user.is_staff: - raise PermissionDenied() self.resource = get_object_or_404(Resource, pk=kwargs['pk']) + if not self.resource.can_be_viewed(request.user): + raise PermissionDenied() self.date = make_aware( datetime.datetime.strptime( '%s-%s-%s 06:00' % (self.get_year(), self.get_month(), 1), '%Y-%m-%d %H:%M' diff --git a/tests/manager/test_resource.py b/tests/manager/test_resource.py index 66f86aa2..43233698 100644 --- a/tests/manager/test_resource.py +++ b/tests/manager/test_resource.py @@ -560,3 +560,27 @@ def test_meetings_agenda_resources(app, admin_user): resp = resp.follow() assert '/manage/resource/%s/' % resource.pk not in resp.text assert '/manage/agendas/%s/resource/%s/delete/' % (agenda.pk, resource.pk) not in resp.text + + +def test_resource_access_permission(app, manager_user): + agenda = Agenda.objects.create(label='Foo Bar', kind='meetings') + resource = Resource.objects.create(label='Resource 1', agenda=agenda) + resource2 = Resource.objects.create(label='Resource 2') + agenda.resources.add(resource) + + app = login(app, username='manager', password='manager') + assert app.get('/manage/resource/%s/' % resource.pk, status=403) + assert app.get('/manage/resource/%s/' % resource2.pk, status=403) + + agenda.edit_role = manager_user.groups.all()[0] + agenda.save() + + resp = app.get('/manage/agendas/%s/settings' % agenda.pk) + resp = resp.click('Resource 1') + assert 'Edit' not in resp.text + assert 'Delete' not in resp.text + + assert resp.click('Month view') + assert resp.click('Day view') + + assert app.get('/manage/resource/%s/' % resource2.pk, status=403) -- 2.30.2