Merge pull request #595 from ryantrinh05/permissions

Added committee-based permissions

Author: ryantrinh05

hknweb/settings/common.py

@@ -15,6 +15,8 @@
 
 from hknweb.utils import DATETIME_12_HOUR_FORMAT
 
+from enum import Enum
+
 # Build paths inside the project like this: os.path.join(BASE_DIR, ...)
 BASE_DIR = os.path.dirname(os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
 
@@ -179,7 +181,49 @@
 CAND_GROUP = "candidate"
 OFFICER_GROUP = "officer"
 EXEC_GROUP = "exec"
-
+MEMBER_GROUP = "member"
+
+# committee groups
+ACT_GROUP = "act"
+BRIDGE_GROUP = "bridge"
+COMPSERV_GROUP = "compserv"
+DECAL_GROUP = "decal"
+INDREL_GROUP = "indrel"
+PRODEV_GROUP = "prodev"
+SERV_GROUP = "serv"
+STUDREL_GROUP = "studrel"
+TUTORING_GROUP = "tutoring"
+
+COMMITTEE_GROUPS = (
+    ACT_GROUP,
+    BRIDGE_GROUP,
+    COMPSERV_GROUP,
+    DECAL_GROUP,
+    INDREL_GROUP,
+    PRODEV_GROUP,
+    SERV_GROUP,
+    STUDREL_GROUP,
+    TUTORING_GROUP,
+)
+
+# exec groups
+CSEC_GROUP = "csec"
+PRES_GROUP = "pres"
+RSEC_GROUP = "rsec"
+TRES_GROUP = "tres"
+IVP_GROUP = "ivp"
+EVP_GROUP = "evp"
+DEPREL_GROUP = "deprel"
+
+EXEC_GROUPS = (
+    CSEC_GROUP,
+    PRES_GROUP,
+    RSEC_GROUP,
+    TRES_GROUP,
+    IVP_GROUP,
+    EVP_GROUP,
+    DEPREL_GROUP,
+)
 
 # Note: both candidate and officer group should have permission to add officer challenges
 

hknweb/studentservices/views.py

@@ -11,8 +11,8 @@
 from hknweb.events.views.event_transactions.show_event import show_details_helper
 from hknweb.utils import (
     allow_public_access,
-    login_and_access_level,
     GROUP_TO_ACCESSLEVEL,
+    login_and_committee,
 )
 from hknweb.studentservices.models import (
     CourseGuideNode,
@@ -192,7 +192,7 @@ def course_description(request, slug):
     return render(request, "studentservices/course_description.html", context=context)
 
 
-@login_and_access_level(GROUP_TO_ACCESSLEVEL["officer"])
+@login_and_committee(settings.TUTORING_GROUP)
 def edit_description(request, slug):
     course = get_object_or_404(CourseDescription, slug=slug)
     if request.method == "GET":
@@ -211,7 +211,7 @@ def edit_description(request, slug):
     return render(request, "studentservices/course_edit.html", context=context)
 
 
-@login_and_access_level(GROUP_TO_ACCESSLEVEL["officer"])
+@login_and_committee(settings.TUTORING_GROUP)
 def delete_description(request, slug):
     course = get_object_or_404(CourseDescription, slug=slug)
 

hknweb/templates/about/people.html

@@ -17,22 +17,24 @@
     }
 </style>
 <script>
-    function toggle_edit(button) {
-        button.disabled = true;
+    {% if viewer_in_bridge %}
+        function toggle_edit(button) {
+            button.disabled = true;
 
-        const urlParams = new URLSearchParams(window.location.search);
-        if (urlParams.has("edit")) {
-            urlParams.delete("edit");
-        } else {
-            urlParams.set("edit", "true");
-        }
+            const urlParams = new URLSearchParams(window.location.search);
+            if (urlParams.has("edit")) {
+                urlParams.delete("edit");
+            } else {
+                urlParams.set("edit", "true");
+            }
 
-        if (history.pushState) {
-            var newurl = window.location.origin + window.location.pathname + "?" + urlParams.toString();
-            window.history.replaceState({path: newurl}, "", newurl);
-            window.location = window.location;
+            if (history.pushState) {
+                var newurl = window.location.origin + window.location.pathname + "?" + urlParams.toString();
+                window.history.replaceState({path: newurl}, "", newurl);
+                window.location = window.location;
+            }
         }
-    }
+    {% endif %}
 </script>
 
 <script async src="//embedr.flickr.com/assets/client-code.js" charset="utf-8"></script>
@@ -53,7 +55,7 @@
 {% block content %}
     <div style="text-align: center; overflow: auto;">
         <!-- Edit button -->
-        {% if is_officer %}
+        {% if viewer_in_bridge %}
             <button
                 onclick="toggle_edit(this)"
                 style="border-radius: 0.3em; border-width: 0.02em;"

hknweb/templates/committees.html

@@ -7,12 +7,13 @@
 
 
 {% block "portal-content" %}
-
-<a href="{% url 'tutoring:tutoring_portal' %}"> 
-    <div class="portal-content">
-        <h2>Tutoring</h2>
-    </div> 
-</a>
+{% if viewer_in_tutoring %}
+    <a href="{% url 'tutoring:tutoring_portal' %}"> 
+        <div class="portal-content">
+            <h2>Tutoring</h2>
+        </div> 
+    </a>
+{% endif %}
 
 <a href="{% url 'login' %}?next={{ request.path|urlencode }}">
     <div class="portal-content">

hknweb/templates/studentservices/course_description.html

@@ -16,7 +16,7 @@
             <!-- Title -->
             <div class="course-title-section">
                 <h2 class="course-title">{{ course.title|default:"Course Title" }}</h2>
-                {% if viewer_is_an_officer %}
+                {% if viewer_in_tutoring %}
                     <p> Last Updated: {{ course.updated_at }} </p>
                     <a href="{{ request.path }}edit"> Edit Page </a>
                 {% endif %}

hknweb/tutoring/views/courses.py

@@ -1,10 +1,11 @@
 from django.shortcuts import render
-from hknweb.utils import login_and_access_level, GROUP_TO_ACCESSLEVEL
+from hknweb.utils import login_and_committee
 from hknweb.studentservices.models import CourseDescription
 from hknweb.tutoring.forms import AddCourseForm
+from django.conf import settings
 
 
-@login_and_access_level(GROUP_TO_ACCESSLEVEL["officer"])
+@login_and_committee(settings.TUTORING_GROUP)
 def courses(request):
     if request.method == "POST":
         new_course = AddCourseForm(request.POST)

hknweb/tutoring/views/tutoringportal.py

@@ -1,7 +1,8 @@
 from django.shortcuts import render
-from hknweb.utils import login_and_access_level, GROUP_TO_ACCESSLEVEL
+from hknweb.utils import login_and_committee, GROUP_TO_ACCESSLEVEL
+from django.conf import settings
 
 
-@login_and_access_level(GROUP_TO_ACCESSLEVEL["officer"])
+@login_and_committee(settings.TUTORING_GROUP)
 def tutoringportal(request):
     return render(request, "tutoring/portal.html")

hknweb/utils.py

@@ -21,8 +21,6 @@
 from django.utils.safestring import mark_safe
 from pytz import timezone
 
-###
-
 
 # constants
 
@@ -99,6 +97,49 @@ def login_and_access_level(access_level):
     )
 
 
+# Committee Permission Checks
+def committee_required(committee):
+    if committee not in settings.COMMITTEE_GROUPS:
+        return ValueError("Invalid Committee Group")
+
+    def test_user(user):
+        if (
+            not user.groups.filter(name=committee).exists()
+            and not user.groups.filter(name=settings.EXEC_GROUP).exists()
+        ):
+            raise PermissionDenied
+        return True
+
+    return user_passes_test(test_user)
+
+
+def login_and_committee(committee):
+    return _wrap_with_access_check(
+        f"Must be in {committee}",
+        committee_required(committee),
+    )
+
+
+# Exec Permission Checks
+def exec_required(position):
+    if position not in settings.EXEC_GROUPS:
+        return ValueError("Invalid Exec Position")
+
+    def test_user(user):
+        if not user.groups.filter(name=position).exists():
+            raise PermissionDenied
+        return True
+
+    return user_passes_test(test_user)
+
+
+def login_and_exec(position):
+    return _wrap_with_access_check(
+        f"Must be {position}",
+        exec_required(position),
+    )
+
+
 def method_login_and_permission(permission_name):
     return method_decorator(login_and_permission(permission_name), name="dispatch")
 

hknweb/views/people.py

@@ -2,6 +2,8 @@
 from django.db.models import QuerySet
 from django.contrib.auth.models import User
 from django.http import Http404
+from django.conf import settings
+from django.core.exceptions import PermissionDenied
 
 from hknweb.utils import allow_public_access, get_access_level, GROUP_TO_ACCESSLEVEL
 
@@ -16,6 +18,13 @@ def people(request):
     if "semester" in request.GET and not request.GET["semester"].isdigit():
         raise Http404
 
+    is_bridge = request.user.groups.filter(name=settings.BRIDGE_GROUP).exists()
+
+    # Prevents unauthorized users from just typing the url to edit the page
+    if request.GET.get("edit") == "true":
+        if not is_bridge:
+            raise PermissionDenied
+
     semester: Semester = Semester.objects.filter(
         pk=request.GET.get("semester") or None
     ).first()
@@ -40,10 +49,8 @@ def people(request):
             committee__is_exec=False
         ).order_by("committee__name")
 
-    is_officer = get_access_level(request.user) <= GROUP_TO_ACCESSLEVEL["officer"]
-
     form = ProfilePictureForm(request.POST)
-    if is_officer and request.method == "POST":
+    if is_bridge and request.method == "POST":
         user = User.objects.get(pk=request.POST["user_id"])
         form.instance = user.profile
         if form.is_valid():
@@ -52,7 +59,6 @@ def people(request):
     context = {
         "execs": execs,
         "committeeships": committeeships,
-        "is_officer": is_officer,
         "form": form,
         "semester_select_form": SemesterSelectForm({"semester": semester}),
     }

hknweb/views/users.py

@@ -21,19 +21,26 @@
 
 # context processor for base to know whether a user is in the officer group
 def add_officer_context(request):
-    return {
-        "viewer_is_an_officer": request.user.groups.filter(
-            name=settings.OFFICER_GROUP
-        ).exists()
+    usergroups = request.user.groups
+    context = {
+        "viewer_is_an_officer": usergroups.filter(name=settings.OFFICER_GROUP).exists()
     }
+    for committee in settings.COMMITTEE_GROUPS:
+        context[f"viewer_in_{committee}"] = (
+            usergroups.filter(name=committee).exists()
+            or usergroups.filter(name=settings.EXEC_GROUP).exists()
+        )
+    return context
 
 
 def add_exec_context(request):
-    return {
-        "viewer_is_an_exec": request.user.groups.filter(
-            name=settings.EXEC_GROUP
-        ).exists()
+    usergroups = request.user.groups
+    context = {
+        "viewer_is_an_exec": usergroups.filter(name=settings.EXEC_GROUP).exists()
     }
+    for exec in settings.EXEC_GROUPS:
+        context[f"viewer_in_{exec}"] = usergroups.filter(name=exec).exists()
+    return context
 
 
 def get_current_cand_semester():  # pragma: no cover
@@ -77,7 +84,7 @@ def account_create(request):
                     candidate_password.lower()
                     == form.cleaned_data["candidate_password"].lower()
                 ):
-                    group = Group.objects.get(name=settings.CAND_GROUP)
+                    group = Group.objects.get(name=settings.UserGroup.CAND_GROUP)
                     group.user_set.add(user)
                     group.save()