Tweak how managers work

Anyone can add to any group, and can edit their own items. Managers of a group can edit any items in that group.
2019-01-25 10:30:55 +11:00 · 2019-01-25 10:30:55 +11:00 · 4638a71cfb
commit 4638a71cfb
parent 0941726c05
4 changed files with 25 additions and 17 deletions
--- a/selfserv/settings.example.py
+++ b/selfserv/settings.example.py
@ -28,8 +28,6 @@ ALLOWED_HOSTS = []
 PROMO_LOGO_URL = 'https://placehold.it/2000x500'
 PROMO_LOGO_LINK = 'https://example.com'

-ENFORCE_GROUP_MANAGERS = True
-

 # Application definition

--- a/sspromotions/jinja2/sspromotions/bulletin_edit.html
+++ b/sspromotions/jinja2/sspromotions/bulletin_edit.html
@ -2,7 +2,7 @@

 {#
    Society Self-Service
-    Copyright © 2018  Yingtong Li (RunasSudo)
+    Copyright © 2018-2019  Yingtong Li (RunasSudo)

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU Affero General Public License as published by
@ -28,6 +28,10 @@
 			<label class="three wide column">ID</label>
 			<input class="eleven wide column" type="text" name="id" value="{{ item.id if item.id != None else '' }}">
 		</div>
+		<div class="ui disabled inline grid field">
+			<label class="three wide column">Author</label>
+			<input class="eleven wide column" type="text" name="author" value="{{ item.author.email }}">
+		</div>
 		<div class="ui required inline grid field">
 			<label class="three wide column">Title</label>
 			<input class="eleven wide column" type="text" name="title" value="{{ item.title }}">
@ -70,7 +74,7 @@
 		<div class="ui inline grid field">
 			<label class="three wide column">Also limit to</label>
 			<div class="eleven wide column">
-					{% for group in all_groups %}
+					{% for group in groups %}
 						<div class="field" style="display: inline; margin-right: 1em;">
 							<div class="ui checkbox">
 								<input type="checkbox" name="also_limit_{{ group.id }}"{% if group.id in item.also_limit %} checked{% endif %}>
--- a/sspromotions/models.py
+++ b/sspromotions/models.py
@ -25,14 +25,12 @@ class Group(models.Model):
 	subscribable = models.BooleanField()
 	order = models.IntegerField(null=True, blank=True)
 	
-	managers = JSONField(default=[])
+	managers = JSONField(default=[], blank=True)
 	
 	def __str__(self):
 		return self.name
 	
 	def can_user_access(self, user):
-		if not settings.ENFORCE_GROUP_MANAGERS:
-			return True
 		if user.is_superuser:
 			return True
 		if user.email in self.managers:
@ -47,6 +45,7 @@ class Group(models.Model):
 		ordering = ['order', 'id']

 class BulletinItem(models.Model):
+	author = models.ForeignKey(User, on_delete=models.CASCADE)
 	group = models.ForeignKey(Group, on_delete=models.CASCADE)
 	also_limit = JSONField(default=[])
 	title = models.CharField(max_length=100)
@ -55,6 +54,15 @@ class BulletinItem(models.Model):
 	content = models.TextField()
 	date = models.DateField()
 	
+	def can_user_access(self, user):
+		if self.group.can_user_access(user):
+			return True
+		if user == self.author:
+			return True
+		if user.email in self.author.delegates:
+			return True
+		return False
+
 class CalendarItem(models.Model):
 	group = models.ForeignKey(Group, on_delete=models.CASCADE)
 	also_limit = JSONField(default=[])
--- a/sspromotions/views.py
+++ b/sspromotions/views.py
@ -39,7 +39,7 @@ def bulletin_list(request):
 	dtend = dtbegin + datetime.timedelta(days=7)
 	
 	for item in models.BulletinItem.objects.all():
-		if not item.group.can_user_access(request.user):
+		if not item.can_user_access(request.user):
 			continue
 		
 		if item.date >= dtbegin and item.date < dtend:
@ -75,9 +75,8 @@ def bulletin_preview(request):
 def bulletin_new(request):
 	if request.method == 'POST':
 		item = models.BulletinItem()
+		item.author = request.user
 		item.group = models.Group.objects.get(id=int(request.POST['group']))
-		if not item.group.can_user_access(request.user):
-			return HttpResponse('Unauthorized', status=401)
 		item.title = request.POST['title']
 		item.date = request.POST['date']
 		item.content = request.POST['content']
@ -93,12 +92,12 @@ def bulletin_new(request):
 			return redirect(reverse('bulletin_edit', kwargs={'id': item.id}))
 	else:
 		item = models.BulletinItem()
+		item.author = request.user
 		item.date = timezone.now().date()
 		item.date += datetime.timedelta(days=(6 - item.date.weekday() + 7) % 7) # Next Sunday (6 = Sunday)
 		return render(request, 'sspromotions/bulletin_edit.html', {
 			'item': item,
-			'groups': [group for group in models.Group.objects.all() if group.can_user_access(request.user)],
-			'all_groups': models.Group.objects.all()
+			'groups': models.Group.objects.all()
 		})

@login_required
@ -106,7 +105,7 @@ def bulletin_edit(request, id):
 	if request.method == 'POST':
 		item = models.BulletinItem.objects.get(id=id)
 		item.group = models.Group.objects.get(id=int(request.POST['group']))
-		if not item.group.can_user_access(request.user):
+		if not item.can_user_access(request.user):
 			return HttpResponse('Unauthorized', status=401)
 		item.title = request.POST['title']
 		item.date = request.POST['date']
@ -123,18 +122,17 @@ def bulletin_edit(request, id):
 			return redirect(reverse('bulletin_edit', kwargs={'id': item.id}))
 	else:
 		item = models.BulletinItem.objects.get(id=id)
-		if not item.group.can_user_access(request.user):
+		if not item.can_user_access(request.user):
 			return HttpResponse('Unauthorized', status=401)
 		return render(request, 'sspromotions/bulletin_edit.html', {
 			'item': item,
-			'groups': [group for group in models.Group.objects.all() if group.can_user_access(request.user)],
-			'all_groups': models.Group.objects.all()
+			'groups': models.Group.objects.all()
 		})

@login_required
 def bulletin_delete(request, id):
 	item = models.BulletinItem.objects.get(id=id)
-	if not item.group.can_user_access(request.user):
+	if not item.can_user_access(request.user):
 		return HttpResponse('Unauthorized', status=401)
 	item.delete()