Permission improvements (#4831)

Author: frjo

hypha/apply/activity/views.py

@@ -134,7 +134,9 @@ class AttachmentView(PrivateMediaView):
     def dispatch(self, *args, **kwargs):
         file_pk = kwargs.get("file_pk")
         self.instance = get_object_or_404(ActivityAttachment, uuid=file_pk)
-
+        activity = self.instance.activity
+        if activity.visibility not in Activity.visibility_for(self.request.user):
+            raise PermissionDenied
         return super().dispatch(*args, **kwargs)
 
     def get_media(self, *args, **kwargs):

hypha/apply/funds/views/partials.py

@@ -3,7 +3,7 @@
 
 from django.conf import settings
 from django.contrib.auth import get_user_model
-from django.contrib.auth.decorators import login_required
+from django.contrib.auth.decorators import login_required, user_passes_test
 from django.db.models import Q
 from django.http import Http404, HttpRequest, HttpResponse
 from django.shortcuts import get_object_or_404, render
@@ -31,6 +31,7 @@
 from hypha.apply.review.options import REVIEWER
 from hypha.apply.todo.options import DOWNLOAD_SUBMISSIONS_EXPORT
 from hypha.apply.todo.views import remove_tasks_of_related_obj_for_specific_code
+from hypha.apply.users.decorators import is_apply_staff
 from hypha.apply.users.roles import REVIEWER_GROUP_NAME
 
 from .. import services
@@ -244,6 +245,9 @@ def partial_reviews_card(request: HttpRequest, pk: str) -> HttpResponse:
         HttpResponse
     """
     submission = get_object_or_404(ApplicationSubmission, pk=pk)
+    has_permission(
+        "submission_view", request.user, object=submission, raise_exception=True
+    )
 
     assigned_reviewers = submission.assigned.review_order()
 
@@ -298,6 +302,7 @@ def partial_meta_terms_card(request, pk):
 
 
 @login_required
+@user_passes_test(is_apply_staff)
 @require_http_methods(["GET", "POST"])
 def sub_menu_update_status(request: HttpRequest) -> HttpResponse:
     submission_ids = request.GET.getlist("selectedSubmissionIds")
@@ -330,14 +335,15 @@ def sub_menu_update_status(request: HttpRequest) -> HttpResponse:
 
 
 @login_required
+@user_passes_test(is_apply_staff)
 @require_http_methods(["GET", "POST"])
 def sub_menu_bulk_update_lead(request: HttpRequest) -> HttpResponse:
     if request.method == "POST":
         submission_ids = request.POST.getlist("selectedSubmissionIds")
         lead = request.POST.get("lead")
 
         submissions = ApplicationSubmission.objects.filter(id__in=submission_ids)
-        lead = User.objects.get(id=lead)
+        lead = get_object_or_404(User.objects.staff(), id=lead)
 
         services.bulk_update_lead(
             submissions=submissions, user=request.user, request=request, lead=lead
@@ -368,6 +374,7 @@ def sub_menu_bulk_update_lead(request: HttpRequest) -> HttpResponse:
 
 
 @login_required
+@user_passes_test(is_apply_staff)
 @require_http_methods(["GET", "POST"])
 def sub_menu_bulk_update_reviewers(request: HttpRequest) -> HttpResponse:
     if request.method == "POST":

hypha/apply/projects/permissions.py

@@ -418,7 +418,28 @@ def can_view_contract_category_documents(user, project, **kwargs):
     return False, _("Forbidden Error")
 
 
+def can_skip_pafapproval_process(user, project, **kwargs):
+    if not user.is_authenticated:
+        return False, _("Login Required")
+
+    if project.status != DRAFT:
+        return False, _("Project is not in Draft state")
+
+    if not (user.is_apply_staff or user.is_apply_staff_admin):
+        return False, _("Only Staff can skip the PAF approval process")
+
+    if no_pafreviewer_role():
+        return True, _(
+            "Staff can skip PAF approval when no reviewer roles are configured"
+        )
+
+    return False, _("PAF reviewer roles are configured, cannot skip approval process")
+
+
 def can_edit_paf(user, project):
+    if not user.is_authenticated:
+        return False, _("Login Required")
+
     if no_pafreviewer_role() and project.status != COMPLETE:
         return True, _(
             "Project form is editable for active projects if no reviewer roles"
@@ -482,5 +503,6 @@ def add_invoice(role, user, project) -> bool:
     "submit_contract_documents": can_submit_contract_documents,
     "project_access": can_access_project,
     "paf_edit": can_edit_paf,
+    "skip_pafapproval_process": can_skip_pafapproval_process,
     "view_contract_documents": can_view_contract_category_documents,
 }

hypha/apply/projects/templatetags/project_tags.py

@@ -28,9 +28,10 @@ def project_show_reports_section(project):
 
 @register.simple_tag
 def user_can_skip_pafapproval_process(project, user):
-    if project.status == DRAFT and (user.is_apply_staff or user.is_apply_staff_admin):
-        return no_pafreviewer_role()
-    return False
+    permission, _ = has_permission(
+        "skip_pafapproval_process", user, object=project, raise_exception=False
+    )
+    return permission
 
 
 @register.simple_tag

hypha/apply/projects/views/project.py

@@ -675,11 +675,10 @@ class UploadContractView(ProjectBySubmissionIdMixin, View):
 
     def dispatch(self, request, *args, **kwargs):
         self.project = self.get_object()
-        permission, _ = has_permission(
-            "contract_upload", request.user, object=self.project
+        has_permission(
+            "contract_upload", request.user, object=self.project, raise_exception=True
         )
-        if permission:
-            return super().dispatch(request, *args, **kwargs)
+        return super().dispatch(request, *args, **kwargs)
 
     def get(self, *args, **kwargs):
         form = self.get_form()
@@ -818,13 +817,19 @@ def post(self, *args, **kwargs):
         )
 
 
+@method_decorator(login_required, name="dispatch")
 class SkipPAFApprovalProcessView(UpdateView):
     model = Project
     form_class = SkipPAFApprovalProcessForm
 
     def dispatch(self, request, *args, **kwargs):
         self.object = get_object_or_404(Project, id=kwargs.get("pk"))
-        # permissions
+        has_permission(
+            "skip_pafapproval_process",
+            request.user,
+            object=self.object,
+            raise_exception=True,
+        )
         return super().dispatch(request, *args, **kwargs)
 
     def form_valid(self, form):
@@ -884,7 +889,7 @@ def dispatch(self, request, *args, **kwargs):
         ).exists():
             raise PermissionDenied
         contract = self.project.contracts.order_by("-created_at").first()
-        permission, _ = has_permission(
+        has_permission(
             "submit_contract_documents",
             request.user,
             object=self.project,
@@ -1024,7 +1029,7 @@ class ChangePAFStatusView(View):
 
     def dispatch(self, request, *args, **kwargs):
         self.object = get_object_or_404(Project, submission__pk=self.kwargs["pk"])
-        permission, _ = has_permission(
+        has_permission(
             "paf_status_update",
             self.request.user,
             object=self.object,
@@ -1274,7 +1279,7 @@ class ChangeProjectstatusView(View):
 
     def dispatch(self, request, *args, **kwargs):
         self.project = get_object_or_404(Project, submission__id=self.kwargs["pk"])
-        permission, _ = has_permission(
+        has_permission(
             "project_status_update", request.user, self.project, raise_exception=True
         )
         return super().dispatch(request, *args, **kwargs)
@@ -1339,7 +1344,7 @@ class UpdateAssignApproversView(View):
 
     def dispatch(self, request, *args, **kwargs):
         self.project = get_object_or_404(Project, submission__id=self.kwargs["pk"])
-        permission, _ = has_permission(
+        has_permission(
             "update_paf_assigned_approvers",
             request.user,
             self.project,
@@ -1447,7 +1452,7 @@ class UpdatePAFApproversView(View):
 
     def dispatch(self, request, *args, **kwargs):
         self.project = get_object_or_404(Project, submission__id=self.kwargs["pk"])
-        permission, _ = has_permission(
+        has_permission(
             "paf_approvers_update",
             request.user,
             self.project,
@@ -1659,7 +1664,7 @@ class AdminProjectDetailView(
 
     def dispatch(self, *args, **kwargs):
         project = self.get_object()
-        permission, _ = has_permission(
+        has_permission(
             "project_access", self.request.user, object=project, raise_exception=True
         )
         return super().dispatch(*args, **kwargs)
@@ -1688,7 +1693,7 @@ class ApplicantProjectDetailView(
 
     def dispatch(self, request, *args, **kwargs):
         project = self.get_object()
-        permission, _ = has_permission(
+        has_permission(
             "project_access", request.user, object=project, raise_exception=True
         )
         return super().dispatch(request, *args, **kwargs)
@@ -1770,7 +1775,7 @@ class CategoryTemplatePrivateMediaView(ProjectBySubmissionIdMixin, PrivateMediaV
     def dispatch(self, *args, **kwargs):
         self.project = self.get_object()
         self.category_type = kwargs["type"]
-        permission, _ = has_permission(
+        has_permission(
             "project_access",
             self.request.user,
             object=self.project,
@@ -1834,7 +1839,7 @@ class ContractDocumentPrivateMediaView(ProjectBySubmissionIdMixin, PrivateMediaV
     def dispatch(self, *args, **kwargs):
         self.project = self.get_object()
         self.document = ContractPacketFile.objects.get(pk=kwargs["file_pk"])
-        permission, _ = has_permission(
+        has_permission(
             "view_contract_documents",
             self.request.user,
             object=self.project,
@@ -2033,6 +2038,7 @@ def get_supporting_documents(self, project):
         return documents_dict
 
 
+@method_decorator(staff_or_finance_or_contracting_required, name="dispatch")
 class ProjectFormsEditView(BaseStreamForm, ProjectBySubmissionIdMixin, UpdateView):
     model = Project
 
@@ -2042,11 +2048,7 @@ def buttons(self):
     def dispatch(self, request, *args, **kwargs):
         self.object = self.get_object()
 
-        permission, msg = has_permission(
-            "paf_edit", self.request.user, self.object, raise_exception=True
-        )
-        if not permission:
-            messages.info(self.request, msg)
+        has_permission("paf_edit", self.request.user, self.object, raise_exception=True)
         return super().dispatch(request, *args, **kwargs)
 
     def get_context_data(self, **kwargs):