Permission issues in view_comments and can_bulk_archive_submissions (#4758)

The view_comments always returned True for any authenticated user due to
minor bug.

Author: frjo

hypha/apply/funds/permissions.py

@@ -38,12 +38,9 @@ def can_edit_submission(user, submission):
     if submission.phase.permissions.can_edit(user):
         co_applicant = submission.co_applicants.filter(user=user).first()
         if co_applicant:
-            if co_applicant.role not in [CoApplicantRole.VIEW, CoApplicantRole.COMMENT]:
-                return (
-                    True,
-                    "Co-applicant with read/view only or comment access can't edit submission",
-                )
-            return False, ""
+            if co_applicant.role == CoApplicantRole.EDIT:
+                return True, "Co-applicant with edit role can edit submission"
+            return False, "Co-applicant does not have edit role"
         return True, "User can edit in current phase"
     return False, ""
 
@@ -55,11 +52,15 @@ def view_comments(role, user, submission) -> bool:
     if role == StaffAdmin:
         return True
 
-    if is_user_has_access_to_view_submission(user, submission):
+    submission_view, _ = can_view_submission(user, submission)
+    if submission_view:
         return True
 
-    if submission.project and can_access_project(user, submission.project):
-        return True
+    project = getattr(submission, "project", None)
+    if project:
+        can_access, _ = can_access_project(user, project)
+        if can_access:
+            return True
 
     return False
 
@@ -145,6 +146,7 @@ def get_archive_alter_groups() -> list:
 def can_alter_archived_submissions(user, submission=None) -> (bool, str):
     """
     Return a boolean based on if a user can alter archived submissions
+    (submission is accepted for compatibility with permissions_map but not used)
     """
     archive_access_groups = get_archive_alter_groups()
 
@@ -156,10 +158,8 @@ def can_alter_archived_submissions(user, submission=None) -> (bool, str):
 
 
 def can_bulk_archive_submissions(user) -> bool:
-    if can_alter_archived_submissions(user) and can_bulk_delete_submissions(user):
-        return True
-
-    return False
+    can_alter, _ = can_alter_archived_submissions(user)
+    return can_alter and can_bulk_delete_submissions(user)
 
 
 def can_change_external_reviewers(user, submission) -> bool:
@@ -202,7 +202,7 @@ def can_export_submissions(user) -> bool:
     return False
 
 
-def is_user_has_access_to_view_submission(user, submission):
+def can_view_submission(user, submission):
     if not user.is_authenticated:
         return False, "Login Required"
 
@@ -224,7 +224,7 @@ def is_user_has_access_to_view_submission(user, submission):
 
 
 def can_view_submission_screening(user, submission):
-    submission_view, _ = is_user_has_access_to_view_submission(user, submission)
+    submission_view, _ = can_view_submission(user, submission)
     if not submission_view:
         return False, "No access to view submission"
     if submission.user == user:
@@ -235,13 +235,14 @@ def can_view_submission_screening(user, submission):
 def can_invite_co_applicants(user, submission):
     if submission.is_archive:
         return False, "Co-applicant can't be added to archived submission"
-    if hasattr(submission, "project"):
+    project = getattr(submission, "project", None)
+    if project:
         from hypha.apply.projects.models.project import COMPLETE
 
-        if submission.project.status == COMPLETE:
+        if project.status == COMPLETE:
             return False, "Co-applicants can't be invited to completed projects"
     if (
-        submission.co_applicant_invites.all().count()
+        submission.co_applicant_invites.count()
         >= settings.SUBMISSIONS_COAPPLICANT_INVITES_LIMIT
     ):
         return False, "Limit reached for this submission"
@@ -263,10 +264,11 @@ def can_view_co_applicants(user, submission):
 def can_update_co_applicant(user, invite):
     if invite.submission.is_archive:
         return False, "Co-applicant can't be updated to archived submission"
-    if hasattr(invite.submission, "project"):
+    project = getattr(invite.submission, "project", None)
+    if project:
         from hypha.apply.projects.models.project import COMPLETE
 
-        if invite.submission.project.status == COMPLETE:
+        if project.status == COMPLETE:
             return False, "Co-applicants can't be updated to completed projects"
     if invite.invited_by == user:
         return True, "Same user who invited can delete the co-applicant"
@@ -285,7 +287,7 @@ def user_can_view_post_comment_form(user, submission):
 
 
 permissions_map = {
-    "submission_view": is_user_has_access_to_view_submission,
+    "submission_view": can_view_submission,
     "submission_edit": can_edit_submission,
     "submission_action": can_take_submission_actions,
     "can_view_submission_screening": can_view_submission_screening,