Tweak how managers work

Anyone can add to any group, and can edit their own items. Managers of a group can edit any items in that group.

selfserv/settings.example.py

@@ -28,8 +28,6 @@ ALLOWED_HOSTS = []
 PROMO_LOGO_URL = 'https://placehold.it/2000x500'
 PROMO_LOGO_LINK = 'https://example.com'
 
-ENFORCE_GROUP_MANAGERS = True
-
 
 # Application definition
 

sspromotions/jinja2/sspromotions/bulletin_edit.html

@@ -2,7 +2,7 @@
 
 {#
     Society Self-Service
-    Copyright © 2018  Yingtong Li (RunasSudo)
+    Copyright © 2018-2019  Yingtong Li (RunasSudo)
 
     This program is free software: you can redistribute it and/or modify
     it under the terms of the GNU Affero General Public License as published by
@@ -28,6 +28,10 @@
 			<label class="three wide column">ID</label>
 			<input class="eleven wide column" type="text" name="id" value="{{ item.id if item.id != None else '' }}">
 		</div>
+		<div class="ui disabled inline grid field">
+			<label class="three wide column">Author</label>
+			<input class="eleven wide column" type="text" name="author" value="{{ item.author.email }}">
+		</div>
 		<div class="ui required inline grid field">
 			<label class="three wide column">Title</label>
 			<input class="eleven wide column" type="text" name="title" value="{{ item.title }}">
@@ -70,7 +74,7 @@
 		<div class="ui inline grid field">
 			<label class="three wide column">Also limit to</label>
 			<div class="eleven wide column">
-					{% for group in all_groups %}
+					{% for group in groups %}
 						<div class="field" style="display: inline; margin-right: 1em;">
 							<div class="ui checkbox">
 								<input type="checkbox" name="also_limit_{{ group.id }}"{% if group.id in item.also_limit %} checked{% endif %}>

sspromotions/models.py

@@ -25,14 +25,12 @@ class Group(models.Model):
 	subscribable = models.BooleanField()
 	order = models.IntegerField(null=True, blank=True)
 	
-	managers = JSONField(default=[])
+	managers = JSONField(default=[], blank=True)
 	
 	def __str__(self):
 		return self.name
 	
 	def can_user_access(self, user):
-		if not settings.ENFORCE_GROUP_MANAGERS:
-			return True
 		if user.is_superuser:
 			return True
 		if user.email in self.managers:
@@ -47,6 +45,7 @@ class Group(models.Model):
 		ordering = ['order', 'id']
 
 class BulletinItem(models.Model):
+	author = models.ForeignKey(User, on_delete=models.CASCADE)
 	group = models.ForeignKey(Group, on_delete=models.CASCADE)
 	also_limit = JSONField(default=[])
 	title = models.CharField(max_length=100)
@@ -54,6 +53,15 @@ class BulletinItem(models.Model):
 	image = models.ImageField(upload_to='promo_uploads/%Y/%m/%d/', null=True)
 	content = models.TextField()
 	date = models.DateField()
+	
+	def can_user_access(self, user):
+		if self.group.can_user_access(user):
+			return True
+		if user == self.author:
+			return True
+		if user.email in self.author.delegates:
+			return True
+		return False
 
 class CalendarItem(models.Model):
 	group = models.ForeignKey(Group, on_delete=models.CASCADE)

sspromotions/views.py

@@ -39,7 +39,7 @@ def bulletin_list(request):
 	dtend = dtbegin + datetime.timedelta(days=7)
 	
 	for item in models.BulletinItem.objects.all():
-		if not item.group.can_user_access(request.user):
+		if not item.can_user_access(request.user):
 			continue
 		
 		if item.date >= dtbegin and item.date < dtend:
@@ -75,9 +75,8 @@ def bulletin_preview(request):
 def bulletin_new(request):
 	if request.method == 'POST':
 		item = models.BulletinItem()
+		item.author = request.user
 		item.group = models.Group.objects.get(id=int(request.POST['group']))
-		if not item.group.can_user_access(request.user):
-			return HttpResponse('Unauthorized', status=401)
 		item.title = request.POST['title']
 		item.date = request.POST['date']
 		item.content = request.POST['content']
@@ -93,12 +92,12 @@ def bulletin_new(request):
 			return redirect(reverse('bulletin_edit', kwargs={'id': item.id}))
 	else:
 		item = models.BulletinItem()
+		item.author = request.user
 		item.date = timezone.now().date()
 		item.date += datetime.timedelta(days=(6 - item.date.weekday() + 7) % 7) # Next Sunday (6 = Sunday)
 		return render(request, 'sspromotions/bulletin_edit.html', {
 			'item': item,
-			'groups': [group for group in models.Group.objects.all() if group.can_user_access(request.user)],
+			'groups': models.Group.objects.all()
-			'all_groups': models.Group.objects.all()
 		})
 
 @login_required
@@ -106,7 +105,7 @@ def bulletin_edit(request, id):
 	if request.method == 'POST':
 		item = models.BulletinItem.objects.get(id=id)
 		item.group = models.Group.objects.get(id=int(request.POST['group']))
-		if not item.group.can_user_access(request.user):
+		if not item.can_user_access(request.user):
 			return HttpResponse('Unauthorized', status=401)
 		item.title = request.POST['title']
 		item.date = request.POST['date']
@@ -123,18 +122,17 @@ def bulletin_edit(request, id):
 			return redirect(reverse('bulletin_edit', kwargs={'id': item.id}))
 	else:
 		item = models.BulletinItem.objects.get(id=id)
-		if not item.group.can_user_access(request.user):
+		if not item.can_user_access(request.user):
 			return HttpResponse('Unauthorized', status=401)
 		return render(request, 'sspromotions/bulletin_edit.html', {
 			'item': item,
-			'groups': [group for group in models.Group.objects.all() if group.can_user_access(request.user)],
+			'groups': models.Group.objects.all()
-			'all_groups': models.Group.objects.all()
 		})
 
 @login_required
 def bulletin_delete(request, id):
 	item = models.BulletinItem.objects.get(id=id)
-	if not item.group.can_user_access(request.user):
+	if not item.can_user_access(request.user):
 		return HttpResponse('Unauthorized', status=401)
 	item.delete()