✨ permissions refactoring: manage deletion permissions - ♻ refactoring "can_do"

author: Étienne Loks <etienne.loks@iggdrasil.net> 2024-11-04 17:55:21 +0100
committer: Étienne Loks <etienne.loks@iggdrasil.net> 2025-02-19 14:43:49 +0100
commit: ba26387f09de20d9537d075dcea5221fb3532a5a (patch)
tree: e8fadab722e806ee1511ac0f996afcc9fb44ce09 /ishtar_common
parent: 547a20789faf6bbc9979357c7f65cbe61e56ed07 (diff)
download: Ishtar-ba26387f09de20d9537d075dcea5221fb3532a5a.tar.bz2
Ishtar-ba26387f09de20d9537d075dcea5221fb3532a5a.zip
6 files changed, 127 insertions, 50 deletions
diff --git a/ishtar_common/ishtar_menu.py b/ishtar_common/ishtar_menu.py
index aa8ed3b8f..8cf047d51 100644
--- a/ishtar_common/ishtar_menu.py
+++ b/ishtar_common/ishtar_menu.py
@@ -72,8 +72,8 @@ MENU_SECTIONS = [
                             "person_deletion",
                             _("Deletion"),
                             model=models.Person,
-                            access_controls=["ishtar_common.change_person",
-                                             "ishtar_common.change_own_person"],
+                            access_controls=["ishtar_common.delete_person",
+                                             "ishtar_common.delete_own_person"],
                         ),
                     ],
                 ),
@@ -147,8 +147,8 @@ MENU_SECTIONS = [
                             _("Deletion"),
                             model=models.Organization,
                             access_controls=[
-                                "ishtar_common.change_organization",
-                                "ishtar_common.change_own_organization",
+                                "ishtar_common.delete_organization",
+                                "ishtar_common.delete_own_organization",
                             ],
                         ),
                     ],
@@ -210,8 +210,8 @@ MENU_SECTIONS = [
                     "document/delete",
                     _("Deletion"),
                     model=models.Document,
-                    access_controls=["ishtar_common.change_document",
-                                     "ishtar_common.change_own_document"],
+                    access_controls=["ishtar_common.delete_document",
+                                     "ishtar_common.delete_own_document"],
                 ),
             ],
         ),
diff --git a/ishtar_common/migrations/0255_migrate_delete_permissions.py b/ishtar_common/migrations/0255_migrate_delete_permissions.py
new file mode 100644
index 000000000..61b63c0df
--- /dev/null
+++ b/ishtar_common/migrations/0255_migrate_delete_permissions.py
@@ -0,0 +1,52 @@
+# Generated by Django 2.2.28 on 2024-11-04 16:52
+
+from django.db import migrations
+
+
+def migrate_permission(apps, __):
+    Permission = apps.get_model("auth", "permission")
+    Group = apps.get_model("auth", "group")
+    ProfileType = apps.get_model("ishtar_common", "profiletype")
+    print()
+    for modif_group in Group.objects.filter(
+            name__endswith="modification/suppression").all():
+        name = modif_group.name.replace("/suppression", "")
+        modif_group.name = name
+        modif_group.save()
+        delete_permissions = []
+        for permission in modif_group.permissions.filter(
+                codename__startswith="change_").all():
+            codename = permission.codename.replace("change_", "delete_")
+            try:
+                delete_permission = Permission.objects.get(
+                    content_type=permission.content_type,
+                    codename=codename
+                )
+                delete_permissions.append(delete_permission)
+                if delete_permission in list(modif_group.permissions.all()):
+                    modif_group.permissions.remove(delete_permission)
+            except Permission.DoesNotExist:
+                print(f"Permission {codename} does not exist")
+
+        if not delete_permissions:
+            continue
+        delete_group = Group.objects.create(
+            name=name.replace("modification", "suppression")
+        )
+        print(f"* New group: {delete_group.name}")
+        for delete_permission in delete_permissions:
+            delete_group.permissions.add(delete_permission)
+        for profile_type in ProfileType.objects.filter(groups__pk=modif_group.pk).all():
+            profile_type.groups.add(delete_group)
+            print(f"\t- profile type {profile_type.label} updated")
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('ishtar_common', '0254_permissionrequests'),
+    ]
+
+    operations = [
+        migrations.RunPython(migrate_permission)
+    ]
diff --git a/ishtar_common/models.py b/ishtar_common/models.py
index bf2cd666a..5b2e3fdbf 100644
--- a/ishtar_common/models.py
+++ b/ishtar_common/models.py
@@ -71,7 +71,7 @@ from django.core.exceptions import (
 )
 from django.core.files.base import ContentFile
 from django.core.files.uploadedfile import SimpleUploadedFile
-from django.db import connection
+from django.db import connection, transaction
 from django.db.models import Q, Max, Count
 from django.db.models.signals import post_save, post_delete, m2m_changed
 from django.db.utils import DatabaseError
@@ -3440,7 +3440,8 @@ class GDPRLog(models.Model):
 
 
 class ProfileType(GeneralType):
-    groups = models.ManyToManyField(Group, verbose_name=_("Groups"), blank=True)
+    groups = models.ManyToManyField(Group, verbose_name=_("Groups"), blank=True,
+                                    related_name="profile_types")
     permission_requests = models.ManyToManyField(
         PermissionRequest, verbose_name=_("Permissions requests"), blank=True,
         related_name="profile_types"
@@ -3652,26 +3653,27 @@ class UserProfile(models.Model):
                     permission_type
                 )
         user_id = ishtar_user.user_ptr.pk
-        object_permissions = []
         item_ids = list(set(item_ids))
         permissions = list(set(permissions))
-        for permission in permissions:
-            permission_id = permission.pk
-            exclude = list(UserObjectPermission.objects.filter(
-                content_type_id=content_type.pk, permission_id=permission_id,
-                user_id=user_id
-            ).values_list("object_pk", flat=True))
-            object_permissions += [
-                UserObjectPermission(
-                    object_pk=str(item_id),
-                    content_type_id=content_type.pk,
-                    permission_id=permission_id,
+        with transaction.atomic():
+            object_permissions = []
+            for permission in permissions:
+                permission_id = permission.pk
+                exclude = list(UserObjectPermission.objects.filter(
+                    content_type_id=content_type.pk, permission_id=permission_id,
                     user_id=user_id
-                )
-                for item_id in item_ids if str(item_id) not in exclude
-            ]
-        if object_permissions:
-            UserObjectPermission.objects.bulk_create(object_permissions)
+                ).values_list("object_pk", flat=True))
+                object_permissions += [
+                    UserObjectPermission(
+                        object_pk=str(item_id),
+                        content_type_id=content_type.pk,
+                        permission_id=permission_id,
+                        user_id=user_id
+                    )
+                    for item_id in item_ids if str(item_id) not in exclude
+                ]
+            if object_permissions:
+                UserObjectPermission.objects.bulk_create(object_permissions)
 
     def save(
         self,
diff --git a/ishtar_common/templatetags/window_header.py b/ishtar_common/templatetags/window_header.py
index 23d779944..d85ce847b 100644
--- a/ishtar_common/templatetags/window_header.py
+++ b/ishtar_common/templatetags/window_header.py
@@ -33,6 +33,8 @@ def window_nav(context, item, window_id, show_url, modify_url='', histo_url='',
     can_edit = hasattr(item, 'can_edit') and item.can_edit(context['request'])
     if can_edit:
         modify_url_value = modify_url
+    can_delete = hasattr(item, 'can_delete') and item.can_delete(context['request'])
+    if can_delete:
         delete_url = getattr(item, "DELETE_URL", False)
     return {
         'current_user': context['request'].user,
diff --git a/ishtar_common/urls.py b/ishtar_common/urls.py
index 8bb8dd356..a98a34882 100644
--- a/ishtar_common/urls.py
+++ b/ishtar_common/urls.py
@@ -88,7 +88,7 @@ urlpatterns = [
     url(
         r"person_deletion/(?P<step>.+)?$",
         check_permissions(
-            ["ishtar_common.change_person", "ishtar_common.change_own_person"]
+            ["ishtar_common.delete_person", "ishtar_common.delete_own_person"]
         )(views.person_deletion_wizard),
         name="person_deletion",
     ),
@@ -149,7 +149,7 @@ urlpatterns = [
     url(
         r"organization_deletion/(?P<step>.+)?$",
         check_permissions(
-            ["ishtar_common.change_organization", "ishtar_common.change_own_organization"]
+            ["ishtar_common.delete_organization", "ishtar_common.delete_own_organization"]
         )(views.organization_deletion_wizard),
         name="organization_deletion",
     ),
@@ -633,7 +633,7 @@ urlpatterns += [
     url(
         r"document/delete/(?P<step>.+)?$",
         check_permissions(
-            ["ishtar_common.change_document", "ishtar_common.change_own_document"]
+            ["ishtar_common.delete_document", "ishtar_common.delete_own_document"]
         )(views.document_deletion_wizard),
         name="document_deletion",
     ),
@@ -711,8 +711,8 @@ urlpatterns += [
     url(
         r"geo/delete/(?P<pk>\d+)/$",
         check_permissions(
-            ["ishtar_common.change_geovectordata",
-                "ishtar_common.change_own_geovectordata"]
+            ["ishtar_common.delete_geovectordata",
+             "ishtar_common.delete_own_geovectordata"]
         )(views.GeoDeleteView.as_view()),
         name="delete-geo",
     ),
diff --git a/ishtar_common/utils.py b/ishtar_common/utils.py
index 11ff45fa7..c35824906 100644
--- a/ishtar_common/utils.py
+++ b/ishtar_common/utils.py
@@ -422,44 +422,65 @@ class OwnPerms:
         """
         return None  # implement for each object
 
+    def can_add(self, request):
+        meta = self.__class__._meta
+        return self.can_do(
+            request, "add", app=meta.app_label, model_name=meta.model_name
+        )
+
     def can_view(self, request):
         meta = self.__class__._meta
-        perm = f"{meta.app_label}.view_{meta.model_name}"
-        return self.can_do(request, perm)
+        return self.can_do(
+            request, "view", app=meta.app_label, model_name=meta.model_name
+        )
+
+    def can_change(self, request):
+        return self.can_edit(request)
 
     def can_edit(self, request):
-        if not getattr(request.user, "ishtaruser", None):
-            return False
-        ishtaruser = request.user.ishtaruser
         meta = self.__class__._meta
-        perm = f"{meta.app_label}.change_{meta.model_name}"
-        if ishtaruser.has_permission(perm):
-            return True
-        own_perm = f"{meta.app_label}.change_own_{meta.model_name}"
-        if not ishtaruser.has_permission(own_perm):
-            return False
-        return self.is_own(ishtaruser)
+        return self.can_do(
+            request, "change", app=meta.app_label, model_name=meta.model_name
+        )
+
+    def can_delete(self, request):
+        meta = self.__class__._meta
+        return self.can_do(
+            request, "delete", app=meta.app_label, model_name=meta.model_name
+        )
 
-    def can_do(self, request, permission):
+    def can_do(self, request, permission, app=None, model_name=None):
         """
         Check permission availability for the current object.
         :param request: request object
         :param permission: action name eg: "archaelogical_finds.change_find" - "own"
-        variation is checked
+        variation is checked - can provide only simple permission (e.g. "change") if app
+        and model_name are provided
+        :param app: application name (if permission not fully provided)
+        :param model_name: model name (if permission not fully provided)
         :return: boolean
         """
         if not getattr(request.user, "ishtaruser", None):
             return False
 
-        if "_findbasket" in permission:
-            permission = permission.replace("basket", "")
+        if (app and not model_name) or (not app and model_name):
+            return False
+
+        if not app:
+            app, perm = permission.split(".")
+            p = perm.split("_")
+            permission = p[0]
+            model_name = ('_').join(p[1:])
+
+        if model_name == "findbasket":
+            model_name = "find"
+
         ishtaruser = request.user.ishtaruser
+        full_permission = f"{app}.{permission}_{model_name}"
 
-        if ishtaruser.has_permission(permission):
+        if ishtaruser.has_permission(full_permission):
             return True
-        app, perm = permission.split(".")
-        p = perm.split("_")
-        own = f"{app}.{p[0]}_own_{('_').join(p[1:])}"
+        own = f"{app}.{permission}_own_{model_name}"
         try:
             return ishtaruser.has_permission(own, self)
         except WrongAppError:
author	Étienne Loks <etienne.loks@iggdrasil.net>	2024-11-04 17:55:21 +0100
committer	Étienne Loks <etienne.loks@iggdrasil.net>	2025-02-19 14:43:49 +0100
commit	ba26387f09de20d9537d075dcea5221fb3532a5a (patch)
tree	e8fadab722e806ee1511ac0f996afcc9fb44ce09 /ishtar_common
parent	547a20789faf6bbc9979357c7f65cbe61e56ed07 (diff)
download	Ishtar-ba26387f09de20d9537d075dcea5221fb3532a5a.tar.bz2 Ishtar-ba26387f09de20d9537d075dcea5221fb3532a5a.zip