Allow document permissions to selected groups

HyphaApp · Sep 23, 2024 · b42dbd8 · b42dbd8
1 parent 6e5d12f
commit b42dbd8
Show file tree

Hide file tree

Showing 6 changed files with 72 additions and 22 deletions.
diff --git a/hypha/apply/projects/admin_forms.py b/hypha/apply/projects/admin_forms.py
@@ -0,0 +1,19 @@
+from wagtail.admin.forms import WagtailAdminModelForm
+
+from hypha.apply.users.groups import GROUPS_ORG_FACULTY
+from hypha.apply.users.models import Group
+
+
+class ContractDocumentCategoryAdminForm(WagtailAdminModelForm):
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+
+        if not self.instance.pk:  # New instance, not saved yet
+            default_groups = Group.objects.filter(name__in=GROUPS_ORG_FACULTY)
+            self.fields["document_access_view"].queryset = default_groups
+            self.fields["document_access_view"].initial = default_groups.values_list(
+                "pk", flat=True
+            )
+            self.initial["document_access_view"] = list(
+                default_groups.values_list("pk", flat=True)
+            )
diff --git a/...category_restrict_document_access_view.py → ...tdocumentcategory_document_access_view.py b/...category_restrict_document_access_view.py → ...tdocumentcategory_document_access_view.py
@@ -1,4 +1,4 @@
-# Generated by Django 4.2.15 on 2024-09-17 04:02
+# Generated by Django 4.2.15 on 2024-09-23 11:16
 
 from django.db import migrations, models
 
@@ -12,13 +12,16 @@ class Migration(migrations.Migration):
     operations = [
         migrations.AddField(
             model_name="contractdocumentcategory",
-            name="restrict_document_access_view",
+            name="document_access_view",
             field=models.ManyToManyField(
                 blank=True,
-                help_text="Only selected group's users will be restricted from document access",
+                help_text="Only selected group's users can access the document",
+                limit_choices_to={
+                    "name__in": ["Staff", "Staff Admin", "Finance", "Contracting"]
+                },
                 related_name="contract_document_category",
                 to="auth.group",
-                verbose_name="Restrict document access for groups",
+                verbose_name="Allow document access for groups",
             ),
         ),
     ]
diff --git a/hypha/apply/projects/migrations/0089_auto_20240923_1154.py b/hypha/apply/projects/migrations/0089_auto_20240923_1154.py
@@ -0,0 +1,26 @@
+# Generated by Django 4.2.15 on 2024-09-23 11:54
+
+from django.db import migrations
+from hypha.apply.users.groups import GROUPS_ORG_FACULTY
+
+
+def allow_internal_groups_to_contractdocumentcategory(apps, schema_editor):
+    ContractDocumentCategory = apps.get_model(
+        "application_projects", "ContractDocumentCategory"
+    )
+    Group = apps.get_model("auth", "Group")
+
+    groups = Group.objects.filter(name__in=GROUPS_ORG_FACULTY)
+    for category in ContractDocumentCategory.objects.all():
+        # Add the default groups to the document_access_view field
+        category.document_access_view.add(*groups)
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("application_projects", "0088_contractdocumentcategory_document_access_view"),
+    ]
+
+    operations = [
+        migrations.RunPython(allow_internal_groups_to_contractdocumentcategory)
+    ]
diff --git a/hypha/apply/projects/models/project.py b/hypha/apply/projects/models/project.py
@@ -28,8 +28,10 @@
 from hypha.apply.funds.models.mixins import AccessFormData
 from hypha.apply.stream_forms.files import StreamFieldDataEncoder
 from hypha.apply.stream_forms.models import BaseStreamForm
+from hypha.apply.users.groups import GROUPS_ORG_FACULTY
 from hypha.apply.utils.storage import PrivateStorage
 
+from ..admin_forms import ContractDocumentCategoryAdminForm
 from ..blocks import ProjectFormCustomFormFieldsBlock
 from .vendor import Vendor
 
@@ -741,12 +743,11 @@ class Meta:
 class ContractDocumentCategory(models.Model):
     name = models.CharField(max_length=254)
     recommended_minimum = models.PositiveIntegerField(null=True, blank=True)
-    restrict_document_access_view = models.ManyToManyField(
+    document_access_view = models.ManyToManyField(
         Group,
-        verbose_name=_("Restrict document access for groups"),
-        help_text=_(
-            "Only selected group's users will be restricted from document access"
-        ),
+        limit_choices_to={"name__in": GROUPS_ORG_FACULTY},
+        verbose_name=_("Allow document access for groups"),
+        help_text=_("Only selected group's users can access the document"),
         related_name="contract_document_category",
         blank=True,
     )
@@ -768,12 +769,12 @@ class Meta:
     panels = [
         FieldPanel("name"),
         FieldPanel("required"),
-        FieldPanel(
-            "restrict_document_access_view", widget=forms.CheckboxSelectMultiple
-        ),
+        FieldPanel("document_access_view", widget=forms.CheckboxSelectMultiple),
         FieldPanel("template"),
     ]
 
+    base_form_class = ContractDocumentCategoryAdminForm
+
 
 class Deliverable(models.Model):
     external_id = models.CharField(

diff --git a/hypha/apply/projects/permissions.py b/hypha/apply/projects/permissions.py
@@ -2,6 +2,7 @@
 from django.core.exceptions import PermissionDenied
 
 from hypha.apply.activity.adapters.utils import get_users_for_groups
+from hypha.apply.users.models import User
 
 from .models.project import (
     CLOSING,
@@ -365,20 +366,13 @@ def can_access_project(user, project):
 
 
 def can_view_contract_category_documents(user, project, **kwargs):
-    from hypha.apply.activity.adapters.utils import get_users_for_groups
-
     contract_category = kwargs.get("contract_category")
     if not contract_category:
         return False, "Contract Category is required"
-    restricted_group_users = get_users_for_groups(
-        list(contract_category.restrict_document_access_view.all())
+    allowed_group_users = User.objects.filter(
+        groups__name__in=list(contract_category.document_access_view.all())
     )
-    if restricted_group_users and user in restricted_group_users:
-        return False, "Forbidden Error"
-    if user.is_apply_staff or user.is_contracting:
-        return True, "Access allowed"
-
-    if user == project.user:
+    if allowed_group_users and user in allowed_group_users:
         return True, "Access allowed"
 
     return False, "Forbidden Error"

diff --git a/hypha/apply/users/groups.py b/hypha/apply/users/groups.py
@@ -91,3 +91,10 @@
         "help_text": CONTRACTING_HELP_TEXT,
     },
 ]
+
+GROUPS_ORG_FACULTY = [
+    STAFF_GROUP_NAME,
+    TEAMADMIN_GROUP_NAME,
+    FINANCE_GROUP_NAME,
+    CONTRACTING_GROUP_NAME,
+]