diff --git a/aleksis/apps/alsijil/forms.py b/aleksis/apps/alsijil/forms.py
index 39ddbebf19741d0f35c649b0cf4a99adea9e8735..746a4762888a971b25d6793e8123cb765ad98e45 100644
--- a/aleksis/apps/alsijil/forms.py
+++ b/aleksis/apps/alsijil/forms.py
@@ -278,20 +278,10 @@ class AssignGroupRoleForm(forms.ModelForm):
if get_site_preferences()["alsijil__group_owners_can_assign_roles_to_parents"]:
persons = persons.filter(
Q(member_of__owners=self.request.user.person)
- | Q(member_of__parent_groups__owners=self.request.user.person)
- | Q(children__member_of__owners=self.request.user.person)
- | Q(children__member_of__parent_groups__owners=self.request.user.person)
- if get_site_preferences()["alsijil__inherit_privileges_from_parent_group"]
- else Q(member_of__owners=self.request.user.person)
| Q(children__member_of__owners=self.request.user.person)
)
else:
- persons = persons.filter(
- Q(member_of__owners=self.request.user.person)
- | Q(member_of__parent_groups__owners=self.request.user.person)
- if get_site_preferences()["alsijil__inherit_privileges_from_parent_group"]
- else Q(member_of__owners=self.request.user.person)
- )
+ persons = persons.filter(member_of__owners=self.request.user.person)
self.fields["person"].queryset = persons.distinct()
if "groups" not in initial:
diff --git a/aleksis/apps/alsijil/rules.py b/aleksis/apps/alsijil/rules.py
index 40856e27eed7f22a56afec5e3127053acc143149..9d143604e3c0ca62688da71703df0e08d501db85 100644
--- a/aleksis/apps/alsijil/rules.py
+++ b/aleksis/apps/alsijil/rules.py
@@ -26,7 +26,6 @@ from .util.predicates import (
is_owner_of_any_group,
is_parent_group_owner,
is_person_group_owner,
- is_person_parent_group_owner,
is_person_primary_group_owner,
is_personal_note_lesson_original_teacher,
is_personal_note_lesson_parent_group_owner,
@@ -204,10 +203,6 @@ add_perm("alsijil.view_students_list_rule", view_students_list_predicate)
view_person_overview_predicate = has_person & (
(is_current_person & is_site_preference_set("alsijil", "view_own_personal_notes"))
| is_person_group_owner
- | (
- is_person_parent_group_owner
- & is_site_preference_set("alsijil", "inherit_privileges_from_parent_group")
- )
)
add_perm("alsijil.view_person_overview_rule", view_person_overview_predicate)
@@ -219,10 +214,6 @@ add_perm("alsijil.view_person_overview_menu_rule", view_person_overview_menu_pre
view_person_overview_personal_notes_predicate = view_person_overview_predicate & (
(is_current_person & is_site_preference_set("alsijil", "view_own_personal_notes"))
| is_person_primary_group_owner
- | (
- is_person_parent_group_owner
- & is_site_preference_set("alsijil", "inherit_privileges_from_parent_group")
- )
| has_global_perm("alsijil.view_personalnote")
| has_person_group_object_perm("core.view_personalnote_group")
)
@@ -326,12 +317,7 @@ add_perm(
)
assign_group_role_person_predicate = has_person & (
- is_person_group_owner
- | (
- is_person_parent_group_owner
- & is_site_preference_set("alsijil", "inherit_privileges_from_parent_group")
- )
- | has_global_perm("alsijil.assign_grouprole")
+ is_person_group_owner | has_global_perm("alsijil.assign_grouprole")
)
add_perm("alsijil.assign_grouprole_to_person_rule", assign_group_role_person_predicate)
diff --git a/aleksis/apps/alsijil/util/predicates.py b/aleksis/apps/alsijil/util/predicates.py
index fbc163b3c00d2a4f4252dfce23365e22748803e8..d66ebb41d052e17dac94087526997df71824c2cc 100644
--- a/aleksis/apps/alsijil/util/predicates.py
+++ b/aleksis/apps/alsijil/util/predicates.py
@@ -125,22 +125,6 @@ def is_person_primary_group_owner(user: User, obj: Person) -> bool:
return False
-@predicate
-def is_person_parent_group_owner(user: User, obj: Person) -> bool:
- """
- Predicate for parent group owners of a person.
-
- Checks whether the person linked to the user is the owner of
- any parent groups of any groups of the given person.
- """
- if obj:
- for group in use_prefetched(obj, "member_of"):
- for parent_group in use_prefetched(group, "parent_groups"):
- if user.person in use_prefetched(parent_group, "owners"):
- return True
- return False
-
-
def has_person_group_object_perm(perm: str):
"""Predicate builder for permissions on a set of member groups.
@@ -273,11 +257,15 @@ def is_personal_note_lesson_parent_group_owner(user: User, obj: PersonalNote) ->
Checks whether the person linked to the user is the owner of
any parent groups of any groups of the given LessonPeriod lesson of the given PersonalNote.
+ If so, also checks whether the person linked to the personal note actually is a member of this
+ parent group.
"""
if hasattr(obj, "register_object"):
for group in obj.register_object.get_groups().all():
for parent_group in group.parent_groups.all():
- if user.person in list(parent_group.owners.all()):
+ if user.person in use_prefetched(
+ parent_group, "owners"
+ ) and obj.person in use_prefetched(parent_group, "members"):
return True
return False
diff --git a/aleksis/apps/alsijil/views.py b/aleksis/apps/alsijil/views.py
index a4ba938d25e4ca327b0a4aaf36631a985e75e753..de3866e0b4ecb62cffd2fc0223c1383f70772c30 100644
--- a/aleksis/apps/alsijil/views.py
+++ b/aleksis/apps/alsijil/views.py
@@ -222,7 +222,9 @@ def register_object(
else:
persons = Person.objects.all()
- persons_qs = register_object.get_personal_notes(persons, wanted_week)
+ persons_qs = register_object.get_personal_notes(persons, wanted_week).filter(
+ person__member_of__in=request.user.person.owner_of.all()
+ )
# Annotate group roles
if show_group_roles:
@@ -456,9 +458,13 @@ def week_view(
if not request.user.has_perm("alsijil.view_week_personalnote_rule", instance):
persons_qs = persons_qs.filter(pk=request.user.person.pk)
elif group:
- persons_qs = persons_qs.filter(member_of=group)
+ persons_qs = persons_qs.filter(member_of=group).filter(
+ member_of__in=request.user.person.owner_of.all()
+ )
else:
- persons_qs = persons_qs.filter(member_of__in=groups)
+ persons_qs = persons_qs.filter(member_of__in=groups).filter(
+ member_of__in=request.user.person.owner_of.all()
+ )
# Prefetch object permissions for persons and groups the persons are members of
# because the object permissions are checked for both persons and groups
@@ -763,7 +769,7 @@ def my_students(request: HttpRequest) -> HttpResponse:
"primary_group__owners",
Prefetch("member_of", queryset=relevant_groups, to_attr="member_of_prefetched"),
)
- )
+ ).filter(member_of__in=request.user.person.owner_of.all())
persons_for_group = []
for person in persons:
person.set_object_permission_checker(checker)
@@ -795,7 +801,11 @@ class StudentsList(PermissionRequiredMixin, DetailView):
def get_context_data(self, **kwargs):
context = super().get_context_data(**kwargs)
context["group"] = self.object
- context["persons"] = self.object.generate_person_list_with_class_register_statistics()
+ context[
+ "persons"
+ ] = self.object.generate_person_list_with_class_register_statistics().filter(
+ member_of__in=self.request.user.person.owner_of.all()
+ )
context["extra_marks"] = ExtraMark.objects.all()
context["excuse_types"] = ExcuseType.objects.all()
return context