From 4638a71cfbdee576463a73038b89c08a2917879e Mon Sep 17 00:00:00 2001 From: Yingtong Li Date: Fri, 25 Jan 2019 10:30:55 +1100 Subject: [PATCH] Tweak how managers work Anyone can add to any group, and can edit their own items. Managers of a group can edit any items in that group. --- selfserv/settings.example.py | 2 -- .../jinja2/sspromotions/bulletin_edit.html | 8 ++++++-- sspromotions/models.py | 14 +++++++++++--- sspromotions/views.py | 18 ++++++++---------- 4 files changed, 25 insertions(+), 17 deletions(-) diff --git a/selfserv/settings.example.py b/selfserv/settings.example.py index 703bd35..a056aad 100644 --- a/selfserv/settings.example.py +++ b/selfserv/settings.example.py @@ -28,8 +28,6 @@ ALLOWED_HOSTS = [] PROMO_LOGO_URL = 'https://placehold.it/2000x500' PROMO_LOGO_LINK = 'https://example.com' -ENFORCE_GROUP_MANAGERS = True - # Application definition diff --git a/sspromotions/jinja2/sspromotions/bulletin_edit.html b/sspromotions/jinja2/sspromotions/bulletin_edit.html index 3fea4f9..50ef80e 100644 --- a/sspromotions/jinja2/sspromotions/bulletin_edit.html +++ b/sspromotions/jinja2/sspromotions/bulletin_edit.html @@ -2,7 +2,7 @@ {# Society Self-Service - Copyright © 2018 Yingtong Li (RunasSudo) + Copyright © 2018-2019 Yingtong Li (RunasSudo) This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by @@ -28,6 +28,10 @@ +
+ + +
@@ -70,7 +74,7 @@
- {% for group in all_groups %} + {% for group in groups %}
diff --git a/sspromotions/models.py b/sspromotions/models.py index dae6a95..54a3748 100644 --- a/sspromotions/models.py +++ b/sspromotions/models.py @@ -25,14 +25,12 @@ class Group(models.Model): subscribable = models.BooleanField() order = models.IntegerField(null=True, blank=True) - managers = JSONField(default=[]) + managers = JSONField(default=[], blank=True) def __str__(self): return self.name def can_user_access(self, user): - if not settings.ENFORCE_GROUP_MANAGERS: - return True if user.is_superuser: return True if user.email in self.managers: @@ -47,6 +45,7 @@ class Group(models.Model): ordering = ['order', 'id'] class BulletinItem(models.Model): + author = models.ForeignKey(User, on_delete=models.CASCADE) group = models.ForeignKey(Group, on_delete=models.CASCADE) also_limit = JSONField(default=[]) title = models.CharField(max_length=100) @@ -54,6 +53,15 @@ class BulletinItem(models.Model): image = models.ImageField(upload_to='promo_uploads/%Y/%m/%d/', null=True) content = models.TextField() date = models.DateField() + + def can_user_access(self, user): + if self.group.can_user_access(user): + return True + if user == self.author: + return True + if user.email in self.author.delegates: + return True + return False class CalendarItem(models.Model): group = models.ForeignKey(Group, on_delete=models.CASCADE) diff --git a/sspromotions/views.py b/sspromotions/views.py index 7d98935..61f3c1b 100644 --- a/sspromotions/views.py +++ b/sspromotions/views.py @@ -39,7 +39,7 @@ def bulletin_list(request): dtend = dtbegin + datetime.timedelta(days=7) for item in models.BulletinItem.objects.all(): - if not item.group.can_user_access(request.user): + if not item.can_user_access(request.user): continue if item.date >= dtbegin and item.date < dtend: @@ -75,9 +75,8 @@ def bulletin_preview(request): def bulletin_new(request): if request.method == 'POST': item = models.BulletinItem() + item.author = request.user item.group = models.Group.objects.get(id=int(request.POST['group'])) - if not item.group.can_user_access(request.user): - return HttpResponse('Unauthorized', status=401) item.title = request.POST['title'] item.date = request.POST['date'] item.content = request.POST['content'] @@ -93,12 +92,12 @@ def bulletin_new(request): return redirect(reverse('bulletin_edit', kwargs={'id': item.id})) else: item = models.BulletinItem() + item.author = request.user item.date = timezone.now().date() item.date += datetime.timedelta(days=(6 - item.date.weekday() + 7) % 7) # Next Sunday (6 = Sunday) return render(request, 'sspromotions/bulletin_edit.html', { 'item': item, - 'groups': [group for group in models.Group.objects.all() if group.can_user_access(request.user)], - 'all_groups': models.Group.objects.all() + 'groups': models.Group.objects.all() }) @login_required @@ -106,7 +105,7 @@ def bulletin_edit(request, id): if request.method == 'POST': item = models.BulletinItem.objects.get(id=id) item.group = models.Group.objects.get(id=int(request.POST['group'])) - if not item.group.can_user_access(request.user): + if not item.can_user_access(request.user): return HttpResponse('Unauthorized', status=401) item.title = request.POST['title'] item.date = request.POST['date'] @@ -123,18 +122,17 @@ def bulletin_edit(request, id): return redirect(reverse('bulletin_edit', kwargs={'id': item.id})) else: item = models.BulletinItem.objects.get(id=id) - if not item.group.can_user_access(request.user): + if not item.can_user_access(request.user): return HttpResponse('Unauthorized', status=401) return render(request, 'sspromotions/bulletin_edit.html', { 'item': item, - 'groups': [group for group in models.Group.objects.all() if group.can_user_access(request.user)], - 'all_groups': models.Group.objects.all() + 'groups': models.Group.objects.all() }) @login_required def bulletin_delete(request, id): item = models.BulletinItem.objects.get(id=id) - if not item.group.can_user_access(request.user): + if not item.can_user_access(request.user): return HttpResponse('Unauthorized', status=401) item.delete()