From a6405ccfc7f53f601088206c216c5167fd86359f Mon Sep 17 00:00:00 2001 From: Scott Bragg Date: Mon, 13 Jun 2016 21:20:46 +1000 Subject: [PATCH 1/2] Fix team permissions backend not pulling out manager_permissions Something like request.user.has_perm('reviews.can_manage_%s' % proposal.kind.section.slug) Will aways return false as the backend does a lookup of team membership (member or manager) but only grabs the 'permissions' and not the 'manager_permissions' field --- symposion/teams/backends.py | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/symposion/teams/backends.py b/symposion/teams/backends.py index 23b001b6..0effdc2d 100644 --- a/symposion/teams/backends.py +++ b/symposion/teams/backends.py @@ -16,15 +16,27 @@ class TeamPermissionsBackend(object): if user_obj.is_anonymous() or obj is not None: return set() if not hasattr(user_obj, "_team_perm_cache"): + # Member permissions memberships = Team.objects.filter( - Q(memberships__user=user_obj), - Q(memberships__state="manager") | Q(memberships__state="member"), + Q(memberships__user=user_obj), + Q(memberships__state="member"), ) perms = memberships.values_list( "permissions__content_type__app_label", "permissions__codename" ).order_by() - user_obj._team_perm_cache = set(["%s.%s" % (ct, name) for ct, name in perms]) + permissions = ["%s.%s" % (ct, name) for ct, name in perms] + # Manager permissions + memberships = Team.objects.filter( + Q(memberships__user=user_obj), + Q(memberships__state="manager"), + ) + perms = memberships.values_list( + "manager_permissions__content_type__app_label", + "manager_permissions__codename" + ).order_by() + permissions += ["%s.%s" % (ct, name) for ct, name in perms] + user_obj._team_perm_cache = set(permissions) return user_obj._team_perm_cache def has_perm(self, user_obj, perm, obj=None): From ce122994ccad30b17b5073076bb97ded86f099cf Mon Sep 17 00:00:00 2001 From: Scott Bragg Date: Mon, 13 Jun 2016 21:32:55 +1000 Subject: [PATCH 2/2] Changed admin to the 'can_manage' permission and added an is_manager to the page context --- symposion/reviews/views.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/symposion/reviews/views.py b/symposion/reviews/views.py index 037c6742..f6b967e3 100644 --- a/symposion/reviews/views.py +++ b/symposion/reviews/views.py @@ -185,7 +185,7 @@ def review_detail(request, pk): if not request.user.is_superuser and request.user in speakers: return access_not_permitted(request) - admin = request.user.is_staff + admin = request.user.has_perm("reviews.can_manage_%s" % proposal.kind.section.slug) try: latest_vote = LatestVote.objects.get(proposal=proposal, user=request.user) @@ -208,7 +208,7 @@ def review_detail(request, pk): return redirect(request.path) else: message_form = SpeakerCommentForm() - elif "message_submit" in request.POST: + elif "message_submit" in request.POST and admin: message_form = SpeakerCommentForm(request.POST) if message_form.is_valid(): @@ -282,7 +282,8 @@ def review_detail(request, pk): "reviews": reviews, "review_messages": messages, "review_form": review_form, - "message_form": message_form + "message_form": message_form, + "is_manager": admin })