Fix permissions and permission checks for person overview

2c4e8922 · Jonathan Weth · 0319cbcf · 2c4e8922 · 2c4e8922 · 2c4e8922
Verified Commit 2c4e8922 authored 4 years ago by Jonathan Weth
--- a/aleksis/apps/alsijil/rules.py
+++ b/aleksis/apps/alsijil/rules.py
@@ -157,6 +157,7 @@ view_person_overview_personal_notes_predicate = has_person & (
    has_global_perm("alsijil.view_personalnote")
    | has_person_group_object_perm("core.view_personalnote_group")
    | is_person_primary_group_owner
+    | is_current_person
 )
 add_perm(
    "alsijil.view_person_overview_personalnote",
@@ -179,6 +180,7 @@ view_person_statistics_personal_notes_predicate = has_person & (
    has_global_perm("alsijil.view_personalnote")
    | has_person_group_object_perm("core.view_personalnote_group")
    | is_person_primary_group_owner
+    | is_current_person
 )
 add_perm(
    "alsijil.view_person_statistics_personalnote",

--- a/aleksis/apps/alsijil/templates/alsijil/class_register/person.html
+++ b/aleksis/apps/alsijil/templates/alsijil/class_register/person.html
@@ -25,12 +25,15 @@
      {% for note in unexcused_absences %}
        {% weekday_to_date note.calendar_week note.lesson_period.period.weekday as note_date %}
        <li class="collection-item">
-          <form action="" method="post" class="right hide-on-small-only" style="margin-top: -7px;">
-            {% csrf_token %}
-            {% trans "Mark as" %}
-            <input type="hidden" value="{{ note.pk }}" name="personal_note">
-            {% include "alsijil/partials/mark_as_buttons.html" %}
-          </form>
+          {% has_perm "alsijil.edit_personalnote" user note as can_edit_personal_note %}
+          {% if can_edit_personal_note %}
+            <form action="" method="post" class="right hide-on-small-only" style="margin-top: -7px;">
+              {% csrf_token %}
+              {% trans "Mark as" %}
+              <input type="hidden" value="{{ note.pk }}" name="personal_note">
+              {% include "alsijil/partials/mark_as_buttons.html" %}
+            </form>
+          {% endif %}
          <i class="material-icons left red-text">warning</i>
          <p class="no-margin">
            <a href="{% url "lesson_by_week_and_period" note.year note.week note.lesson_period.pk %}">{{ note_date }}, {{ note.lesson_period }}</a>
@@ -38,7 +41,6 @@
          {% if note.remarks %}
            <p class="no-margin"><em>{{ note.remarks }}</em></p>
          {% endif %}
-          {% has_perm "alsijil.edit_personalnote" user note as can_edit_personal_note %}
          {% if can_edit_personal_note %}
            <form action="" method="post" class="hide-on-med-and-up">
              {% csrf_token %}
@@ -132,12 +134,14 @@
                  <i class="material-icons left">schedule</i>
                  {{ note_date }}

-                  <form action="" method="post" class="hide-on-med-and-up">
-                    {% csrf_token %}
-                    {% trans "Mark all as" %}
-                    <input type="hidden" value="{{ note_date|date:"Y-m-d" }}" name="date">
-                    {% include "alsijil/partials/mark_as_buttons.html" %}
-                  </form>
+                  {% if can_mark_all_as_excused %}
+                    <form action="" method="post" class="hide-on-med-and-up">
+                      {% csrf_token %}
+                      {% trans "Mark all as" %}
+                      <input type="hidden" value="{{ note_date|date:"Y-m-d" }}" name="date">
+                      {% include "alsijil/partials/mark_as_buttons.html" %}
+                    </form>
+                  {% endif %}
                </li>
              {% endifchanged %}

@@ -156,7 +160,8 @@
                  </div>

                  <div class="col s12 m7 no-padding">
-                    {% if note.absent and not note.excused %}
+                    {% has_perm "alsijil.edit_personalnote" user note as can_edit_personal_note %}
+                    {% if note.absent and not note.excused and can_edit_personal_note %}
                      <form action="" method="post" class="right hide-on-small-only" style="margin-top: -7px;">
                        {% csrf_token %}
                        {% trans "Mark as" %}
@@ -194,7 +199,6 @@

                  </div>
                  <div class="col s12 hide-on-med-and-up">
-                    {% has_perm "alsijil.edit_personalnote" user note as can_edit_personal_note %}
                    {% if note.absent and not note.excused and can_edit_personal_note %}
                      <form action="" method="post">
                        {% csrf_token %}

--- a/aleksis/apps/alsijil/views.py
+++ b/aleksis/apps/alsijil/views.py
@@ -478,7 +478,7 @@ def my_students(request: HttpRequest) -> HttpResponse:
        .annotate(lessons_count=Count("lessons"))
        .filter(lessons_count__gt=0, owners=request.user.person)
    )
-    persons = Person.objects.filter(member_of__in=relevant_groups)
+    persons = Person.objects.filter(member_of__in=relevant_groups).distinct()
    context["persons"] = persons
    return render(request, "alsijil/class_register/persons.html", context)