From 5e43d627d72331b37d5b0359cf3c233ed9f2342c Mon Sep 17 00:00:00 2001 From: Stefan Wehrmeyer Date: Mon, 20 Jun 2022 11:18:38 +0200 Subject: [PATCH] Fix visibility of non-public plans in section list --- froide_govplan/admin.py | 14 +------------- froide_govplan/auth.py | 14 ++++++++++++++ froide_govplan/models.py | 14 +++++++------- froide_govplan/views.py | 4 +++- 4 files changed, 25 insertions(+), 21 deletions(-) create mode 100644 froide_govplan/auth.py diff --git a/froide_govplan/admin.py b/froide_govplan/admin.py index b467d63..a98a271 100644 --- a/froide_govplan/admin.py +++ b/froide_govplan/admin.py @@ -13,6 +13,7 @@ from froide.helper.widgets import TagAutocompleteWidget from froide.organization.models import Organization from .api_views import GovernmentPlanViewSet +from .auth import get_allowed_plans, has_limited_access from .forms import ( GovernmentPlanForm, GovernmentPlanUpdateAcceptProposalForm, @@ -53,19 +54,6 @@ class GovernmentAdmin(admin.ModelAdmin): list_filter = ("public",) -def has_limited_access(user): - if not user.is_authenticated: - return True - return not user.has_perm("froide_govplan.add_governmentplan") - - -def get_allowed_plans(request): - if not has_limited_access(request.user): - return GovernmentPlan.objects.all() - groups = request.user.groups.all() - return GovernmentPlan.objects.filter(group__in=groups).distinct() - - def execute_assign_organization(admin, request, queryset, action_obj): queryset.update(organization=action_obj) diff --git a/froide_govplan/auth.py b/froide_govplan/auth.py new file mode 100644 index 0000000..e500a63 --- /dev/null +++ b/froide_govplan/auth.py @@ -0,0 +1,14 @@ +from .models import GovernmentPlan + + +def has_limited_access(user): + if not user.is_authenticated: + return True + return not user.has_perm("froide_govplan.add_governmentplan") + + +def get_allowed_plans(request): + if not has_limited_access(request.user): + return GovernmentPlan.objects.all() + groups = request.user.groups.all() + return GovernmentPlan.objects.filter(group__in=groups).distinct() diff --git a/froide_govplan/models.py b/froide_govplan/models.py index c9c514f..cfe1a21 100644 --- a/froide_govplan/models.py +++ b/froide_govplan/models.py @@ -427,14 +427,14 @@ class GovernmentPlanSection(models.Model): def get_absolute_domain_url(self): return settings.SITE_URL + self.get_absolute_url() - def get_plans(self): - return ( - GovernmentPlan.objects.filter( - categories__in=self.categories.all(), government_id=self.government_id - ) - .distinct() - .order_by("title") + def get_plans(self, queryset=None): + if queryset is None: + queryset = GovernmentPlan.objects.filter(public=True) + + queryset = queryset.filter( + categories__in=self.categories.all(), government_id=self.government_id ) + return queryset.distinct().order_by("title") if CMSPlugin: diff --git a/froide_govplan/views.py b/froide_govplan/views.py index fd896c0..5508c84 100644 --- a/froide_govplan/views.py +++ b/froide_govplan/views.py @@ -4,6 +4,7 @@ from django.shortcuts import get_object_or_404, redirect, render from django.utils.translation import gettext_lazy as _ from django.views.generic import DetailView, UpdateView +from .auth import get_allowed_plans from .forms import GovernmentPlanUpdateProposalForm from .models import Government, GovernmentPlan, GovernmentPlanSection @@ -33,7 +34,8 @@ class GovPlanSectionDetailView(GovernmentMixin, DetailView): def get_context_data(self, **kwargs): context = super().get_context_data(**kwargs) - context["plans"] = context["object"].get_plans() + queryset = get_allowed_plans(self.request) + context["plans"] = context["object"].get_plans(queryset=queryset) return context