[feature] Allowed ready only access of shared objects to non-superusers #238

Closes #238

Author: pandafy

openwisp_users/multitenancy.py

@@ -49,7 +49,9 @@ def get_queryset(self, request):
         if user.is_superuser:
             return qs
         if hasattr(self.model, 'organization'):
-            return qs.filter(organization__in=user.organizations_managed)
+            return qs.filter(
+                Q(organization__in=user.organizations_managed) | Q(organization=None)
+            )
         if self.model.__name__ == 'Organization':
             return qs.filter(pk__in=user.organizations_managed)
         elif not self.multitenant_parent:
@@ -58,6 +60,33 @@ def get_queryset(self, request):
             qsarg = '{0}__organization__in'.format(self.multitenant_parent)
             return qs.filter(**{qsarg: user.organizations_managed})
 
+    def _has_org_permission(self, request, obj, perm_func):
+        """
+        Helper method to check object-level permissions for users
+        associated with specific organizations.
+        """
+        perm = perm_func(request, obj)
+        if not request.user.is_superuser and obj and hasattr(obj, 'organization_id'):
+            perm = perm and (
+                obj.organization_id
+                and str(obj.organization_id) in request.user.organizations_managed
+            )
+        return perm
+
+    def has_change_permission(self, request, obj=None):
+        """
+        Returns True if the user has permission to change the object.
+        Non-superusers cannot change shared objects.
+        """
+        return self._has_org_permission(request, obj, super().has_change_permission)
+
+    def has_delete_permission(self, request, obj=None):
+        """
+        Returns True if the user has permission to delete the object.
+        Non-superusers cannot change shared objects.
+        """
+        return self._has_org_permission(request, obj, super().has_delete_permission)
+
     def _edit_form(self, request, form):
         """
         Modifies the form querysets as follows;
@@ -149,7 +178,9 @@ class MultitenantOrgFilter(AutocompleteFilter):
     org_lookup = 'id__in'
     title = _('organization')
     widget_attrs = AutocompleteFilter.widget_attrs.copy()
-    widget_attrs.update({'data-empty-label': SHARED_SYSTEMWIDE_LABEL})
+    widget_attrs.update(
+        {'data-empty-label': SHARED_SYSTEMWIDE_LABEL, 'data-is-filter': 'true'}
+    )
 
 
 class MultitenantRelatedOrgFilter(MultitenantOrgFilter):

openwisp_users/static/admin/js/autocomplete.js

@@ -0,0 +1,35 @@
+"use strict";
+{
+  const $ = django.jQuery;
+
+  $.fn.djangoAdminSelect2 = function () {
+    $.each(this, function (i, element) {
+      $(element).select2({
+        ajax: {
+          data: (params) => {
+            console.log("params", element.dataset);
+            return {
+              term: params.term,
+              page: params.page,
+              app_label: element.dataset.appLabel,
+              model_name: element.dataset.modelName,
+              field_name: element.dataset.fieldName,
+              is_filter: element.dataset.isFilter,
+            };
+          },
+        },
+      });
+    });
+    return this;
+  };
+
+  $(function () {
+    // Initialize all autocomplete widgets except the one in the template
+    // form used when a new formset is added.
+    $(".admin-autocomplete").not("[name*=__prefix__]").djangoAdminSelect2();
+  });
+
+  document.addEventListener("formset:added", (event) => {
+    $(event.target).find(".admin-autocomplete").djangoAdminSelect2();
+  });
+}

openwisp_users/views.py

@@ -43,5 +43,5 @@ def get_empty_label(self):
 
     def get_allow_null(self):
         if self.object_list.model == Organization:
-            return self.request.user.is_superuser
+            return self.request.user.is_superuser or self.request.GET.get('is_filter')
         return super().get_allow_null()