From 2c4e8922386c61cd40a09b6890fa19453ce1c86c Mon Sep 17 00:00:00 2001
From: Jonathan Weth <git@jonathanweth.de>
Date: Sun, 23 Aug 2020 19:31:00 +0200
Subject: [PATCH] Fix permissions and permission checks for person overview

---
 aleksis/apps/alsijil/rules.py                 |  2 ++
 .../alsijil/class_register/person.html        | 34 +++++++++++--------
 aleksis/apps/alsijil/views.py                 |  2 +-
 3 files changed, 22 insertions(+), 16 deletions(-)

diff --git a/aleksis/apps/alsijil/rules.py b/aleksis/apps/alsijil/rules.py
index 3f7006e06..065c9c95c 100644
--- a/aleksis/apps/alsijil/rules.py
+++ b/aleksis/apps/alsijil/rules.py
@@ -157,6 +157,7 @@ view_person_overview_personal_notes_predicate = has_person & (
     has_global_perm("alsijil.view_personalnote")
     | has_person_group_object_perm("core.view_personalnote_group")
     | is_person_primary_group_owner
+    | is_current_person
 )
 add_perm(
     "alsijil.view_person_overview_personalnote",
@@ -179,6 +180,7 @@ view_person_statistics_personal_notes_predicate = has_person & (
     has_global_perm("alsijil.view_personalnote")
     | has_person_group_object_perm("core.view_personalnote_group")
     | is_person_primary_group_owner
+    | is_current_person
 )
 add_perm(
     "alsijil.view_person_statistics_personalnote",
diff --git a/aleksis/apps/alsijil/templates/alsijil/class_register/person.html b/aleksis/apps/alsijil/templates/alsijil/class_register/person.html
index e0547ce6a..7b53c558d 100644
--- a/aleksis/apps/alsijil/templates/alsijil/class_register/person.html
+++ b/aleksis/apps/alsijil/templates/alsijil/class_register/person.html
@@ -25,12 +25,15 @@
       {% for note in unexcused_absences %}
         {% weekday_to_date note.calendar_week note.lesson_period.period.weekday as note_date %}
         <li class="collection-item">
-          <form action="" method="post" class="right hide-on-small-only" style="margin-top: -7px;">
-            {% csrf_token %}
-            {% trans "Mark as" %}
-            <input type="hidden" value="{{ note.pk }}" name="personal_note">
-            {% include "alsijil/partials/mark_as_buttons.html" %}
-          </form>
+          {% has_perm "alsijil.edit_personalnote" user note as can_edit_personal_note %}
+          {% if can_edit_personal_note %}
+            <form action="" method="post" class="right hide-on-small-only" style="margin-top: -7px;">
+              {% csrf_token %}
+              {% trans "Mark as" %}
+              <input type="hidden" value="{{ note.pk }}" name="personal_note">
+              {% include "alsijil/partials/mark_as_buttons.html" %}
+            </form>
+          {% endif %}
           <i class="material-icons left red-text">warning</i>
           <p class="no-margin">
             <a href="{% url "lesson_by_week_and_period" note.year note.week note.lesson_period.pk %}">{{ note_date }}, {{ note.lesson_period }}</a>
@@ -38,7 +41,6 @@
           {% if note.remarks %}
             <p class="no-margin"><em>{{ note.remarks }}</em></p>
           {% endif %}
-          {% has_perm "alsijil.edit_personalnote" user note as can_edit_personal_note %}
           {% if can_edit_personal_note %}
             <form action="" method="post" class="hide-on-med-and-up">
               {% csrf_token %}
@@ -132,12 +134,14 @@
                   <i class="material-icons left">schedule</i>
                   {{ note_date }}
 
-                  <form action="" method="post" class="hide-on-med-and-up">
-                    {% csrf_token %}
-                    {% trans "Mark all as" %}
-                    <input type="hidden" value="{{ note_date|date:"Y-m-d" }}" name="date">
-                    {% include "alsijil/partials/mark_as_buttons.html" %}
-                  </form>
+                  {% if can_mark_all_as_excused %}
+                    <form action="" method="post" class="hide-on-med-and-up">
+                      {% csrf_token %}
+                      {% trans "Mark all as" %}
+                      <input type="hidden" value="{{ note_date|date:"Y-m-d" }}" name="date">
+                      {% include "alsijil/partials/mark_as_buttons.html" %}
+                    </form>
+                  {% endif %}
                 </li>
               {% endifchanged %}
 
@@ -156,7 +160,8 @@
                   </div>
 
                   <div class="col s12 m7 no-padding">
-                    {% if note.absent and not note.excused %}
+                    {% has_perm "alsijil.edit_personalnote" user note as can_edit_personal_note %}
+                    {% if note.absent and not note.excused and can_edit_personal_note %}
                       <form action="" method="post" class="right hide-on-small-only" style="margin-top: -7px;">
                         {% csrf_token %}
                         {% trans "Mark as" %}
@@ -194,7 +199,6 @@
 
                   </div>
                   <div class="col s12 hide-on-med-and-up">
-                    {% has_perm "alsijil.edit_personalnote" user note as can_edit_personal_note %}
                     {% if note.absent and not note.excused and can_edit_personal_note %}
                       <form action="" method="post">
                         {% csrf_token %}
diff --git a/aleksis/apps/alsijil/views.py b/aleksis/apps/alsijil/views.py
index ce69a45be..3fb49fea6 100644
--- a/aleksis/apps/alsijil/views.py
+++ b/aleksis/apps/alsijil/views.py
@@ -478,7 +478,7 @@ def my_students(request: HttpRequest) -> HttpResponse:
         .annotate(lessons_count=Count("lessons"))
         .filter(lessons_count__gt=0, owners=request.user.person)
     )
-    persons = Person.objects.filter(member_of__in=relevant_groups)
+    persons = Person.objects.filter(member_of__in=relevant_groups).distinct()
     context["persons"] = persons
     return render(request, "alsijil/class_register/persons.html", context)
 
-- 
GitLab