diff --git a/sspromotions/models.py b/sspromotions/models.py
index dae6a95..54a3748 100644
--- a/sspromotions/models.py
+++ b/sspromotions/models.py
@@ -25,14 +25,12 @@ class Group(models.Model):
subscribable = models.BooleanField()
order = models.IntegerField(null=True, blank=True)
- managers = JSONField(default=[])
+ managers = JSONField(default=[], blank=True)
def __str__(self):
return self.name
def can_user_access(self, user):
- if not settings.ENFORCE_GROUP_MANAGERS:
- return True
if user.is_superuser:
return True
if user.email in self.managers:
@@ -47,6 +45,7 @@ class Group(models.Model):
ordering = ['order', 'id']
class BulletinItem(models.Model):
+ author = models.ForeignKey(User, on_delete=models.CASCADE)
group = models.ForeignKey(Group, on_delete=models.CASCADE)
also_limit = JSONField(default=[])
title = models.CharField(max_length=100)
@@ -54,6 +53,15 @@ class BulletinItem(models.Model):
image = models.ImageField(upload_to='promo_uploads/%Y/%m/%d/', null=True)
content = models.TextField()
date = models.DateField()
+
+ def can_user_access(self, user):
+ if self.group.can_user_access(user):
+ return True
+ if user == self.author:
+ return True
+ if user.email in self.author.delegates:
+ return True
+ return False
class CalendarItem(models.Model):
group = models.ForeignKey(Group, on_delete=models.CASCADE)
diff --git a/sspromotions/views.py b/sspromotions/views.py
index 7d98935..61f3c1b 100644
--- a/sspromotions/views.py
+++ b/sspromotions/views.py
@@ -39,7 +39,7 @@ def bulletin_list(request):
dtend = dtbegin + datetime.timedelta(days=7)
for item in models.BulletinItem.objects.all():
- if not item.group.can_user_access(request.user):
+ if not item.can_user_access(request.user):
continue
if item.date >= dtbegin and item.date < dtend:
@@ -75,9 +75,8 @@ def bulletin_preview(request):
def bulletin_new(request):
if request.method == 'POST':
item = models.BulletinItem()
+ item.author = request.user
item.group = models.Group.objects.get(id=int(request.POST['group']))
- if not item.group.can_user_access(request.user):
- return HttpResponse('Unauthorized', status=401)
item.title = request.POST['title']
item.date = request.POST['date']
item.content = request.POST['content']
@@ -93,12 +92,12 @@ def bulletin_new(request):
return redirect(reverse('bulletin_edit', kwargs={'id': item.id}))
else:
item = models.BulletinItem()
+ item.author = request.user
item.date = timezone.now().date()
item.date += datetime.timedelta(days=(6 - item.date.weekday() + 7) % 7) # Next Sunday (6 = Sunday)
return render(request, 'sspromotions/bulletin_edit.html', {
'item': item,
- 'groups': [group for group in models.Group.objects.all() if group.can_user_access(request.user)],
- 'all_groups': models.Group.objects.all()
+ 'groups': models.Group.objects.all()
})
@login_required
@@ -106,7 +105,7 @@ def bulletin_edit(request, id):
if request.method == 'POST':
item = models.BulletinItem.objects.get(id=id)
item.group = models.Group.objects.get(id=int(request.POST['group']))
- if not item.group.can_user_access(request.user):
+ if not item.can_user_access(request.user):
return HttpResponse('Unauthorized', status=401)
item.title = request.POST['title']
item.date = request.POST['date']
@@ -123,18 +122,17 @@ def bulletin_edit(request, id):
return redirect(reverse('bulletin_edit', kwargs={'id': item.id}))
else:
item = models.BulletinItem.objects.get(id=id)
- if not item.group.can_user_access(request.user):
+ if not item.can_user_access(request.user):
return HttpResponse('Unauthorized', status=401)
return render(request, 'sspromotions/bulletin_edit.html', {
'item': item,
- 'groups': [group for group in models.Group.objects.all() if group.can_user_access(request.user)],
- 'all_groups': models.Group.objects.all()
+ 'groups': models.Group.objects.all()
})
@login_required
def bulletin_delete(request, id):
item = models.BulletinItem.objects.get(id=id)
- if not item.group.can_user_access(request.user):
+ if not item.can_user_access(request.user):
return HttpResponse('Unauthorized', status=401)
item.delete()