From a106ee5597c7aaf752e37df20aa7423af8a6d3e1 Mon Sep 17 00:00:00 2001
From: Hangzhi Yu <hangzhi@protonmail.com>
Date: Fri, 3 Jan 2025 15:50:13 +0100
Subject: [PATCH] Add permission check to participation status type
---
aleksis/apps/alsijil/rules.py | 24 ++++++++++++++++---
aleksis/apps/alsijil/schema/documentation.py | 12 +++++-----
.../alsijil/schema/participation_status.py | 8 +++++++
aleksis/apps/alsijil/util/predicates.py | 22 ++++++++++++++---
4 files changed, 54 insertions(+), 12 deletions(-)
diff --git a/aleksis/apps/alsijil/rules.py b/aleksis/apps/alsijil/rules.py
index 054669388..a65c4ca9e 100644
--- a/aleksis/apps/alsijil/rules.py
+++ b/aleksis/apps/alsijil/rules.py
@@ -13,11 +13,13 @@ from aleksis.core.util.predicates import (
from .util.predicates import (
can_edit_documentation,
can_edit_participation_status,
+ can_edit_participation_status_for_documentation,
can_edit_personal_note,
can_register_absence_for_at_least_one_group,
can_register_absence_for_person,
can_view_documentation,
can_view_participation_status,
+ can_view_participation_status_for_documentation,
can_view_personal_note,
can_view_statistics_for_person,
has_person_group_object_perm,
@@ -196,7 +198,7 @@ add_perm("alsijil.edit_documentation_rule", edit_documentation_predicate)
add_perm("alsijil.delete_documentation_rule", edit_documentation_predicate)
view_participation_status_for_documentation_predicate = has_person & (
- has_global_perm("alsijil.change_participationstatus") | can_view_participation_status
+ has_global_perm("alsijil.change_participationstatus") | can_view_participation_status_for_documentation
)
add_perm(
"alsijil.view_participation_status_for_documentation_rule",
@@ -205,7 +207,7 @@ add_perm(
edit_participation_status_for_documentation_with_time_range_predicate = (
has_person
- & (has_global_perm("alsijil.change_participationstatus") | can_edit_participation_status)
+ & (has_global_perm("alsijil.change_participationstatus") | can_edit_participation_status_for_documentation)
& is_in_allowed_time_range_for_participation_status
)
add_perm(
@@ -214,13 +216,29 @@ add_perm(
)
edit_participation_status_for_documentation_predicate = has_person & (
- has_global_perm("alsijil.change_participationstatus") | can_edit_participation_status
+ has_global_perm("alsijil.change_participationstatus") | can_edit_participation_status_for_documentation
)
add_perm(
"alsijil.edit_participation_status_for_documentation_rule",
edit_participation_status_for_documentation_predicate,
)
+view_participation_status_predicate = has_person & (
+ has_global_perm("alsijil.view_participationstatus") | can_view_participation_status
+)
+add_perm(
+ "alsijil.view_participation_status_rule",
+ view_participation_status_predicate,
+)
+
+edit_participation_status_predicate = has_person & (
+ has_global_perm("alsijil.change_participationstatus") | can_edit_participation_status
+)
+add_perm(
+ "alsijil.edit_participation_status_rule",
+ edit_participation_status_predicate,
+)
+
view_personal_note_predicate = has_person & (
has_global_perm("alsijil.change_newpersonalnote") | can_view_personal_note
)
diff --git a/aleksis/apps/alsijil/schema/documentation.py b/aleksis/apps/alsijil/schema/documentation.py
index 6b0c3e1ff..d3da77dbb 100644
--- a/aleksis/apps/alsijil/schema/documentation.py
+++ b/aleksis/apps/alsijil/schema/documentation.py
@@ -11,7 +11,7 @@ from aleksis.apps.alsijil.util.predicates import (
is_in_allowed_time_range_for_participation_status,
)
from aleksis.apps.alsijil.util.predicates import (
- can_edit_participation_status as can_edit_participation_status_predicate,
+ can_edit_participation_status_for_documentation as can_edit_participation_status_for_documentation_predicate,
)
from aleksis.apps.chronos.schema import LessonEventType
from aleksis.apps.cursus.models import Subject
@@ -56,8 +56,8 @@ class DocumentationType(PermissionsTypeMixin, DjangoFilterMixin, DjangoObjectTyp
future_notice = graphene.Boolean(required=False)
future_notice_participation_status = graphene.Boolean(required=False)
- can_edit_participation_status = graphene.Boolean(required=False)
- can_view_participation_status = graphene.Boolean(required=False)
+ can_edit_participation_status_for_documentation = graphene.Boolean(required=False)
+ can_view_participation_status_for_documentation = graphene.Boolean(required=False)
old_id = graphene.ID(required=False)
@@ -96,12 +96,12 @@ class DocumentationType(PermissionsTypeMixin, DjangoFilterMixin, DjangoObjectTyp
return not is_in_allowed_time_range_for_participation_status(info.context.user, root)
@staticmethod
- def resolve_can_edit_participation_status(root: Documentation, info, **kwargs):
+ def resolve_can_edit_participation_status_for_documentation(root: Documentation, info, **kwargs):
"""Shows whether the user can edit all participation statuses of the documentation"""
- return can_edit_participation_status_predicate(info.context.user, root)
+ return can_edit_participation_status_for_documentation_predicate(info.context.user, root)
@staticmethod
- def resolve_can_view_participation_status(root: Documentation, info, **kwargs):
+ def resolve_can_view_participation_status_for_documentation(root: Documentation, info, **kwargs):
"""Shows whether the user can view all participation statuses of the documentation"""
return info.context.user.has_perm(
"alsijil.view_participation_status_for_documentation_rule", root
diff --git a/aleksis/apps/alsijil/schema/participation_status.py b/aleksis/apps/alsijil/schema/participation_status.py
index 2f6a830e2..bb90b9bea 100644
--- a/aleksis/apps/alsijil/schema/participation_status.py
+++ b/aleksis/apps/alsijil/schema/participation_status.py
@@ -68,6 +68,14 @@ class ParticipationStatusType(
note__isnull=False,
).exclude(note="")
+ @staticmethod
+ def resolve_can_edit(root: ParticipationStatus, info, **kwargs):
+ return info.context.user.has_perm("alsijil.edit_participation_status_rule", root)
+
+ @staticmethod
+ def resolve_can_delete(root: ParticipationStatus, info, **kwargs):
+ return info.context.user.has_perm("alsijil.edit_participation_status_rule", root)
+
class ParticipationStatusBatchPatchMutation(BaseBatchPatchMutation):
class Meta:
diff --git a/aleksis/apps/alsijil/util/predicates.py b/aleksis/apps/alsijil/util/predicates.py
index 41f8dbe02..e33b7fafe 100644
--- a/aleksis/apps/alsijil/util/predicates.py
+++ b/aleksis/apps/alsijil/util/predicates.py
@@ -12,7 +12,7 @@ from aleksis.core.models import Group, Person
from aleksis.core.util.core_helpers import get_site_preferences
from aleksis.core.util.predicates import check_object_permission
-from ..models import Documentation, NewPersonalNote
+from ..models import Documentation, NewPersonalNote, ParticipationStatus
@predicate
@@ -277,7 +277,7 @@ def can_edit_documentation(user: User, obj: Documentation):
@predicate
-def can_view_participation_status(user: User, obj: Documentation):
+def can_view_participation_status_for_documentation(user: User, obj: Documentation):
"""Predicate which checks if the user is allowed to view participation for a documentation."""
if obj:
if obj.amends and obj.amends.cancelled:
@@ -294,7 +294,7 @@ def can_view_participation_status(user: User, obj: Documentation):
@predicate
-def can_edit_participation_status(user: User, obj: Documentation):
+def can_edit_participation_status_for_documentation(user: User, obj: Documentation):
"""Predicate which checks if the user is allowed to edit participation for a documentation."""
if obj:
if obj.amends and obj.amends.cancelled:
@@ -308,6 +308,22 @@ def can_edit_participation_status(user: User, obj: Documentation):
return False
+@predicate
+def can_view_participation_status(user: User, obj: ParticipationStatus):
+ """Predicate which checks if the user is allowed to view participation."""
+ if obj.related_documentation:
+ return can_view_participation_status_for_documentation(user, obj.related_documentation)
+ return False
+
+
+@predicate
+def can_edit_participation_status(user: User, obj: ParticipationStatus):
+ """Predicate which checks if the user is allowed to edit participation."""
+ if obj.related_documentation:
+ return can_edit_participation_status_for_documentation(user, obj.related_documentation)
+ return False
+
+
@predicate
def is_in_allowed_time_range(user: User, obj: Union[Documentation, NewPersonalNote]):
"""Predicate for documentations or new personal notes with linked documentation.
--
GitLab