User with no staff admin instance can't create appointment (#67)

* User with no staff admin instance can't create appointment

* New version release

* Removing console.log and print before release

Author: adamspd

README.md

@@ -14,7 +14,7 @@
 ⚠️ **IMPORTANT**: If upgrading from a version before 2.x.x, please note significant database changes were introduced in
 Version 2.0.0 introduces significant database changes. Please read
 the [migration guide](https://github.com/adamspd/django-appointment/tree/main/docs/migration_guides/v2_1_0.md) before
-updating. No significant database changes were introduced in version 3.0.0.
+updating. No database changes were introduced in version 3.0.1.
 
 Django-Appointment is a Django app engineered for managing appointment scheduling with ease and flexibility. It enables
 users to define custom configurations for time slots, lead time, and finish time, or utilize the default values
@@ -43,7 +43,7 @@ notes](https://github.com/adamspd/django-appointment/tree/main/docs/release_note
 - For more information, please refer to
   this [documentation](https://github.com/adamspd/django-appointment/tree/main/docs/history/readme_v2_1_1.md).
 
-## Added Features in version 3.0.0
+## Added Features in version 3.0.1
 
 This release of Django Appointment brings a series of improvements and updates aimed at enhancing the overall
 functionality and user experience:
@@ -76,7 +76,7 @@ our commitment to providing a high-quality and user-friendly appointment managem
 See the [release notes](https://github.com/adamspd/django-appointment/tree/main/docs/release_notes/latest.md)
 for more information.
 
-### Breaking Changes in version 3.0.0:
+### Breaking Changes in version 3.0.1:
 
 See the [release notes](https://github.com/adamspd/django-appointment/tree/main/docs/release_notes/latest.md) for more
   information.

appointment/__init__.py

@@ -4,5 +4,5 @@
 __description__ = "Managing appointment scheduling with customizable slots, staff features, and conflict handling."
 __package_name__ = "django-appointment"
 __url__ = "https://github.com/adamspd/django-appointment"
-__version__ = "3.0.0"
+__version__ = "3.0.1"
 __test_version__ = False

appointment/static/js/app_admin/staff_index.js

@@ -10,7 +10,7 @@ const Constants = {
 
 // Application State
 const AppState = {
-    eventIdSelected: null, calendar: null, isEditingAppointment: false, isCreating: false,
+    eventIdSelected: null, calendar: null, isEditingAppointment: false, isCreating: false, isUserStaffAdmin: true,
 };
 
 document.addEventListener("DOMContentLoaded", initializeCalendar);
@@ -35,7 +35,9 @@ window.addEventListener('resize', function () {
 
 document.addEventListener("DOMContentLoaded", function () {
     // Wait for a 50ms after the DOM is ready before initializing the calendar
-    setTimeout(initializeCalendar, 50);
+    setUserStaffAdminFlag().then(() => {
+        setTimeout(initializeCalendar, 50);
+    });
 });
 
 
@@ -149,10 +151,12 @@ function getCalendarConfig(events) {
 
             if (dayCell.date >= currentDate && !tabletCheck()) {
                 // Attach right-click event listener only if the day is not in the past
-                dayCell.el.addEventListener('contextmenu', function (event) {
-                    event.preventDefault();
-                    handleCalendarRightClick(event, dayCell.date);
-                });
+                if (AppState.isUserStaffAdmin) {
+                    dayCell.el.addEventListener('contextmenu', function (event) {
+                        event.preventDefault();
+                        handleCalendarRightClick(event, dayCell.date);
+                    });
+                }
             }
         },
     };
@@ -223,7 +227,29 @@ function getCalendarHeight() {
     return '850px';
 }
 
+function setUserStaffAdminFlag() {
+    return fetch(isUserStaffAdminURL)
+        .then(response => response.json())
+        .then(data => {
+            if (data.is_staff_admin) {
+                AppState.isUserStaffAdmin = true;
+            } else {
+                console.error(data.message || "Error fetching user details.");
+                AppState.isUserStaffAdmin = false;
+            }
+        })
+        .catch(error => {
+            console.error("Error checking user's staff admin status: ", error);
+            AppState.isUserStaffAdmin = false;
+        });
+}
+
+
 function handleCalendarRightClick(event, date) {
+    if (!AppState.isUserStaffAdmin) {
+        showErrorModal(notStaffMemberTxt)
+        return;
+    }
     const contextMenu = document.getElementById("customContextMenu");
     contextMenu.style.top = `${event.pageY}px`;
     contextMenu.style.left = `${event.pageX}px`;
@@ -352,6 +378,9 @@ function fetchServices(isEditMode = false) {
 
 async function populateServices(selectedServiceId, isEditMode = false) {
     const services = await fetchServices(isEditMode);
+    if (!services) {
+        showErrorModal(noServiceOfferedTxt)
+    }
     const selectElement = document.createElement('select');
     services.forEach(service => {
         const option = document.createElement('option');
@@ -543,7 +572,6 @@ function adjustModalButtonsVisibility(isEditMode, isCreatingMode) {
 // ################################################################ //
 
 function toggleEditMode() {
-    console.log("I was called in toggleEditMode")
     const modal = document.getElementById("eventDetailsModal");
     const appointment = appointments.find(app => Number(app.id) === Number(AppState.eventIdSelected));
     AppState.isCreating = false; // Turn off creating mode

appointment/templates/administration/staff_index.html

@@ -312,6 +312,7 @@
         const updateApptMinInfoURL = "{% url 'appointment:update_appt_min_info' %}";
         const updateApptDateURL = "{% url 'appointment:update_appt_date_time' %}";
         const validateApptDateURL = "{% url 'appointment:validate_appointment_date' %}";
+        const isUserStaffAdminURL = "{% url 'appointment:is_user_staff_admin' %}";
     </script>
     <script>
         {# Text for translation #}
@@ -322,9 +323,11 @@
         const noEventTxt = "{% trans 'No events for this day.' %}";
         const newEventTxt = "{% trans 'New Event' %}";
         const successTxt = "{% trans 'Success' %}";
-        const errorTxt = "{% trans 'Error' %}"
-        const updateApptErrorTitleTxt = "{% trans 'Error: Unable to delete appointment.' %}"
-        const apptNotFoundTxt = "{% trans 'Appointment not found.' %}"
+        const errorTxt = "{% trans 'Error' %}";
+        const updateApptErrorTitleTxt = "{% trans 'Error: Unable to delete appointment.' %}";
+        const apptNotFoundTxt = "{% trans 'Appointment not found.' %}";
+        const notStaffMemberTxt = "{% trans "You're not a staff member. Can't perform this action !" %}";
+        const noServiceOfferedTxt = "{% trans "You don't offer any service. Add new service from your profile." %}";
     </script>
 
     <script src="{% static 'js/modal/error_modal.js' %}"></script>

appointment/tests/test_views.py

@@ -272,6 +272,40 @@ def test_fetch_service_list_for_staff(self):
             [{"id": service.id, "name": service.name} for service in staff_member_services]
         )
 
+    def test_fetch_service_list_for_staff_no_staff_member_instance(self):
+        """Test that a superuser without a StaffMember instance receives an appropriate error message."""
+        self.need_superuser_login()
+
+        # Ensure the superuser does not have a StaffMember instance
+        StaffMember.objects.filter(user=self.user1).delete()
+
+        url = reverse('appointment:fetch_service_list_for_staff')
+        response = self.client.get(url, HTTP_X_REQUESTED_WITH='XMLHttpRequest')
+
+        # Check the response status code and content
+        self.assertEqual(response.status_code, 400)
+        response_data = response.json()
+        self.assertIn('message', response_data)
+        self.assertEqual(response_data['message'], _("You're not a staff member. Can't perform this action !"))
+        self.assertFalse(response_data['success'])
+
+    def test_fetch_service_list_for_staff_no_services_offered(self):
+        """Test fetching services for a staff member who offers no services."""
+        self.need_staff_login()
+
+        # Assuming self.staff_member1 offers no services
+        self.staff_member1.services_offered.clear()
+
+        url = reverse('appointment:fetch_service_list_for_staff')
+        response = self.client.get(url, HTTP_X_REQUESTED_WITH='XMLHttpRequest')
+
+        # Check response status code and content
+        self.assertEqual(response.status_code, 404)
+        response_data = response.json()
+        self.assertIn('message', response_data)
+        self.assertEqual(response_data['message'], _("No services offered by this staff member."))
+        self.assertFalse(response_data['success'])
+
     def test_update_appt_min_info_create(self):
         self.need_staff_login()
 
@@ -441,3 +475,36 @@ def test_make_staff_member_without_superuser(self):
 
         # Check for a forbidden status code, as only superusers should be able to create staff members
         self.assertEqual(response.status_code, 403)
+
+    def test_is_user_staff_admin_with_staff_member(self):
+        """Test that a user with a StaffMember instance is identified as a staff admin."""
+        self.need_staff_login()
+
+        # Ensure the user has a StaffMember instance
+        if not StaffMember.objects.filter(user=self.user1).exists():
+            StaffMember.objects.create(user=self.user1)
+
+        url = reverse('appointment:is_user_staff_admin')
+        response = self.client.get(url, HTTP_X_REQUESTED_WITH='XMLHttpRequest')
+
+        # Check the response status code and content
+        self.assertEqual(response.status_code, 200)
+        response_data = response.json()
+        self.assertIn('message', response_data)
+        self.assertEqual(response_data['message'], _("User is a staff member."))
+
+    def test_is_user_staff_admin_without_staff_member(self):
+        """Test that a user without a StaffMember instance is not identified as a staff admin."""
+        self.need_staff_login()
+
+        # Ensure the user does not have a StaffMember instance
+        StaffMember.objects.filter(user=self.user1).delete()
+
+        url = reverse('appointment:is_user_staff_admin')
+        response = self.client.get(url, HTTP_X_REQUESTED_WITH='XMLHttpRequest')
+
+        # Check the response status code and content
+        self.assertEqual(response.status_code, 200)
+        response_data = response.json()
+        self.assertIn('message', response_data)
+        self.assertEqual(response_data['message'], _("User is not a staff member."))

appointment/urls.py

@@ -14,7 +14,7 @@
 from appointment.views_admin import add_day_off, add_or_update_service, add_or_update_staff_info, add_working_hours, \
     create_new_staff_member, delete_appointment, delete_appointment_ajax, delete_day_off, delete_service, \
     delete_working_hours, display_appointment, email_change_verification_code, fetch_service_list_for_staff, \
-    get_service_list, get_user_appointments, make_superuser_staff_member, remove_staff_member, \
+    get_service_list, get_user_appointments, is_user_staff_admin, make_superuser_staff_member, remove_staff_member, \
     remove_superuser_staff_member, update_appt_date_time, update_appt_min_info, update_day_off, update_personal_info, \
     update_working_hours, user_profile, validate_appointment_date
 
@@ -88,6 +88,7 @@
     path('validate_appointment_date/', validate_appointment_date, name="validate_appointment_date"),
     # delete appointment ajax
     path('delete_appointment/', delete_appointment_ajax, name="delete_appointment_ajax"),
+    path('is_user_staff_admin/', is_user_staff_admin, name="is_user_staff_admin"),
 ]
 
 urlpatterns = [

appointment/views_admin.py

@@ -239,13 +239,19 @@ def fetch_service_list_for_staff(request):
             # Ensure the staff member is associated with this appointment
             if not Appointment.objects.filter(id=appointment_id,
                                               appointment_request__staff_member=staff_member).exists():
-                return json_response("You do not have permission to access this appointment.", status_code=403)
+                return json_response(_("You do not have permission to access this appointment."), status_code=403)
     else:
         # Fetch all services for the staff member (create mode)
-        staff_member = StaffMember.objects.get(user=request.user)
+        try:
+            staff_member = StaffMember.objects.get(user=request.user)
+        except StaffMember.DoesNotExist:
+            return json_response(_("You're not a staff member. Can't perform this action !"), status=400, success=False)
 
     services = list(staff_member.get_services_offered().values('id', 'name'))
-    return json_response("Successfully fetched services.", custom_data={'services_offered': services})
+    if len(services) == 0:
+        return json_response(_("No services offered by this staff member."), status=404, success=False,
+                             error_code=ErrorCode.SERVICE_NOT_FOUND)
+    return json_response(_("Successfully fetched services."), custom_data={'services_offered': services})
 
 
 @require_user_authenticated
@@ -497,4 +503,15 @@ def delete_appointment_ajax(request):
     appointment_id = data.get("appointment_id")
     appointment = get_object_or_404(Appointment, pk=appointment_id)
     appointment.delete()
-    return json_response("Appointment deleted successfully.")
+    return json_response(_("Appointment deleted successfully."))
+
+
+@require_user_authenticated
+@require_staff_or_superuser
+def is_user_staff_admin(request):
+    user = request.user
+    try:
+        StaffMember.objects.get(user=user)
+        return json_response(_("User is a staff member."), custom_data={'is_staff_admin': True})
+    except StaffMember.DoesNotExist:
+        return json_response(_("User is not a staff member."), custom_data={'is_staff_admin': False})

docs/migration_guides/latest.md

@@ -1,10 +1,10 @@
-## Migration Guide for Version 3.0.0 🚀
+## Migration Guide for Version 3.0.1 🚀
 
-Version 3.0.0 of django-appointment is focused on enhancing functionality, documentation, and internationalization, with
+Version 3.x.x of django-appointment is focused on enhancing functionality, documentation, and internationalization, with
 no significant database schema changes introduced. This guide provides the steps to ensure a smooth upgrade from version
 2.1.1 or any earlier versions post 2.0.0.
 
-### Steps for Upgrading to Version 3.0.0:
+### Steps for Upgrading to Version 3.0.1:
 
 1. **Backup Your Database**:
     - As a best practice, always back up your current database before performing an upgrade. This precaution ensures you
@@ -13,7 +13,7 @@ no significant database schema changes introduced. This guide provides the steps
 2. **Update Package**:
     - Upgrade to the latest version by running:
       ```bash
-      pip install django-appointment==3.0.0
+      pip install django-appointment==3.0.1
       ```
 
 3. **Run Migrations** (if any):
@@ -27,17 +27,17 @@ no significant database schema changes introduced. This guide provides the steps
 4. **Review and Test**:
     - After upgrading, thoroughly test your application to ensure all functionalities are working as expected with the
       new version.
-    - Pay special attention to features affected by the updates in version 3.0.0, as detailed in the release notes.
+    - Pay special attention to features affected by the updates in version 3.x.x, as detailed in the release notes.
 
 ### Troubleshooting:
 
 - **Issues Post Migration**:
-    - If you encounter issues after migration, consult the release notes for version 3.0.0 for specific updates that
+    - If you encounter issues after migration, consult the release notes for version 3.0.1 for specific updates that
       might affect your setup.
     - Check the Django logs for any error messages that can provide insights into issues.
 
 ### Important Notes 📝:
 
-- No database schema changes were introduced in version 3.0.0, so the migration process should be straightforward.
+- No database schema changes were introduced in version 3.0.1, so the migration process should be straightforward.
 - As with any upgrade, testing in a development or staging environment before applying changes to your production
   environment is highly recommended.