From 64a716413726a58dd16865b0e7aefa5984d9c51e Mon Sep 17 00:00:00 2001 From: sandeepsajan0 Date: Tue, 17 Sep 2024 09:38:26 +0530 Subject: [PATCH 1/5] Hide contracting category documents from restricted users --- ...tcategory_restrict_document_access_view.py | 24 +++++++++++++++++++ hypha/apply/projects/models/project.py | 12 ++++++++++ hypha/apply/projects/permissions.py | 21 ++++++++++++++++ .../includes/contracting_documents.html | 3 ++- .../projects/templatetags/contract_tools.py | 12 ++++++++++ hypha/apply/projects/views/project.py | 24 +++++++++---------- 6 files changed, 82 insertions(+), 14 deletions(-) create mode 100644 hypha/apply/projects/migrations/0088_contractdocumentcategory_restrict_document_access_view.py diff --git a/hypha/apply/projects/migrations/0088_contractdocumentcategory_restrict_document_access_view.py b/hypha/apply/projects/migrations/0088_contractdocumentcategory_restrict_document_access_view.py new file mode 100644 index 0000000000..9a7b376f92 --- /dev/null +++ b/hypha/apply/projects/migrations/0088_contractdocumentcategory_restrict_document_access_view.py @@ -0,0 +1,24 @@ +# Generated by Django 4.2.15 on 2024-09-17 04:02 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + dependencies = [ + ("auth", "0012_alter_user_first_name_max_length"), + ("application_projects", "0087_alter_pafreviewersrole_user_roles"), + ] + + operations = [ + migrations.AddField( + model_name="contractdocumentcategory", + name="restrict_document_access_view", + field=models.ManyToManyField( + blank=True, + help_text="Only selected group's users will be restricted from document access", + related_name="contract_document_category", + to="auth.group", + verbose_name="Restrict document access for groups", + ), + ), + ] diff --git a/hypha/apply/projects/models/project.py b/hypha/apply/projects/models/project.py index 993ca5ebd1..cbf2e81505 100644 --- a/hypha/apply/projects/models/project.py +++ b/hypha/apply/projects/models/project.py @@ -727,6 +727,15 @@ class Meta: class ContractDocumentCategory(models.Model): name = models.CharField(max_length=254) recommended_minimum = models.PositiveIntegerField(null=True, blank=True) + restrict_document_access_view = models.ManyToManyField( + Group, + verbose_name=_("Restrict document access for groups"), + help_text=_( + "Only selected group's users will be restricted from document access" + ), + related_name="contract_document_category", + blank=True, + ) required = models.BooleanField(default=True) template = models.FileField( upload_to=contract_document_template_path, @@ -745,6 +754,9 @@ class Meta: panels = [ FieldPanel("name"), FieldPanel("required"), + FieldPanel( + "restrict_document_access_view", widget=forms.CheckboxSelectMultiple + ), FieldPanel("template"), ] diff --git a/hypha/apply/projects/permissions.py b/hypha/apply/projects/permissions.py index 367b7ec529..f0cb7b95ee 100644 --- a/hypha/apply/projects/permissions.py +++ b/hypha/apply/projects/permissions.py @@ -364,6 +364,26 @@ def can_access_project(user, project): return False, "Forbidden Error" +def can_view_contract_category_documents(user, project, **kwargs): + from hypha.apply.activity.adapters.utils import get_users_for_groups + + contract_category = kwargs.get("contract_category") + if not contract_category: + return False, "Contract Category is required" + restricted_group_users = get_users_for_groups( + list(contract_category.restrict_document_access_view.all()) + ) + if restricted_group_users and user in restricted_group_users: + return False, "Forbidden Error" + if user.is_apply_staff or user.is_contracting: + return True, "Access allowed" + + if user == project.user: + return True, "Access allowed" + + return False, "Forbidden Error" + + def can_edit_paf(user, project): if no_pafreviewer_role() and project.status != COMPLETE: return True, "Paf is editable for active projects if no reviewer roles" @@ -387,4 +407,5 @@ def can_edit_paf(user, project): "submit_contract_documents": can_submit_contract_documents, "project_access": can_access_project, "paf_edit": can_edit_paf, + "view_contract_documents": can_view_contract_category_documents, } diff --git a/hypha/apply/projects/templates/application_projects/includes/contracting_documents.html b/hypha/apply/projects/templates/application_projects/includes/contracting_documents.html index 341bcfb74c..6cd10a6d51 100644 --- a/hypha/apply/projects/templates/application_projects/includes/contracting_documents.html +++ b/hypha/apply/projects/templates/application_projects/includes/contracting_documents.html @@ -177,7 +177,8 @@
{% trans "Are you sure you want to submit contracting documents?" %}
{% else %} {% contract_category_latest_file project document_category as latest_file %} - {% if latest_file %} + {% can_access_category_document project user document_category as have_view_access %} + {% if latest_file and have_view_access %}
{% heroicon_micro "eye" class="inline me-1 w-4 h-4" aria_hidden=true %} diff --git a/hypha/apply/projects/templatetags/contract_tools.py b/hypha/apply/projects/templatetags/contract_tools.py index 88c44f8793..6dc72f35e6 100644 --- a/hypha/apply/projects/templatetags/contract_tools.py +++ b/hypha/apply/projects/templatetags/contract_tools.py @@ -90,3 +90,15 @@ def can_update_contracting_documents(project, user): if user == project.user and not user.is_apply_staff and not user.is_contracting: return True return False + + +@register.simple_tag +def can_access_category_document(project, user, category): + permission, _ = has_permission( + "view_contract_documents", + user, + object=project, + contract_category=category, + raise_exception=False, + ) + return permission diff --git a/hypha/apply/projects/views/project.py b/hypha/apply/projects/views/project.py index 87ce0325a6..b9b11223a1 100644 --- a/hypha/apply/projects/views/project.py +++ b/hypha/apply/projects/views/project.py @@ -1704,28 +1704,26 @@ def test_func(self): @method_decorator(login_required, name="dispatch") -class ContractDocumentPrivateMediaView(UserPassesTestMixin, PrivateMediaView): +class ContractDocumentPrivateMediaView(PrivateMediaView): raise_exception = True def dispatch(self, *args, **kwargs): project_pk = self.kwargs["pk"] self.project = get_object_or_404(Project, pk=project_pk) + self.document = ContractPacketFile.objects.get(pk=kwargs["file_pk"]) + permission, _ = has_permission( + "view_contract_documents", + self.request.user, + object=self.project, + contract_category=self.document.category, + raise_exception=True, + ) return super().dispatch(*args, **kwargs) def get_media(self, *args, **kwargs): - document = ContractPacketFile.objects.get(pk=kwargs["file_pk"]) - if document.project != self.project: + if self.document.project != self.project: raise Http404 - return document.document - - def test_func(self): - if self.request.user.is_apply_staff or self.request.user.is_contracting: - return True - - if self.request.user == self.project.user: - return True - - return False + return self.document.document # PROJECT FORM VIEWS From 3d902e828a3fec6495c8255cde0904cbee0f5081 Mon Sep 17 00:00:00 2001 From: sandeepsajan0 Date: Mon, 23 Sep 2024 18:42:46 +0530 Subject: [PATCH 2/5] Allow document permissions to selected groups --- hypha/apply/projects/admin_forms.py | 19 ++++++++++++++ ...tdocumentcategory_document_access_view.py} | 11 +++++--- .../migrations/0089_auto_20240923_1154.py | 26 +++++++++++++++++++ hypha/apply/projects/models/project.py | 17 ++++++------ hypha/apply/projects/permissions.py | 14 +++------- 5 files changed, 65 insertions(+), 22 deletions(-) create mode 100644 hypha/apply/projects/admin_forms.py rename hypha/apply/projects/migrations/{0088_contractdocumentcategory_restrict_document_access_view.py => 0088_contractdocumentcategory_document_access_view.py} (59%) create mode 100644 hypha/apply/projects/migrations/0089_auto_20240923_1154.py diff --git a/hypha/apply/projects/admin_forms.py b/hypha/apply/projects/admin_forms.py new file mode 100644 index 0000000000..1e47e69c16 --- /dev/null +++ b/hypha/apply/projects/admin_forms.py @@ -0,0 +1,19 @@ +from wagtail.admin.forms import WagtailAdminModelForm + +from hypha.apply.users.groups import GROUPS_ORG_FACULTY +from hypha.apply.users.models import Group + + +class ContractDocumentCategoryAdminForm(WagtailAdminModelForm): + def __init__(self, *args, **kwargs): + super().__init__(*args, **kwargs) + + if not self.instance.pk: # New instance, not saved yet + default_groups = Group.objects.filter(name__in=GROUPS_ORG_FACULTY) + self.fields["document_access_view"].queryset = default_groups + self.fields["document_access_view"].initial = default_groups.values_list( + "pk", flat=True + ) + self.initial["document_access_view"] = list( + default_groups.values_list("pk", flat=True) + ) diff --git a/hypha/apply/projects/migrations/0088_contractdocumentcategory_restrict_document_access_view.py b/hypha/apply/projects/migrations/0088_contractdocumentcategory_document_access_view.py similarity index 59% rename from hypha/apply/projects/migrations/0088_contractdocumentcategory_restrict_document_access_view.py rename to hypha/apply/projects/migrations/0088_contractdocumentcategory_document_access_view.py index 9a7b376f92..cce2afb10b 100644 --- a/hypha/apply/projects/migrations/0088_contractdocumentcategory_restrict_document_access_view.py +++ b/hypha/apply/projects/migrations/0088_contractdocumentcategory_document_access_view.py @@ -1,4 +1,4 @@ -# Generated by Django 4.2.15 on 2024-09-17 04:02 +# Generated by Django 4.2.15 on 2024-09-23 11:16 from django.db import migrations, models @@ -12,13 +12,16 @@ class Migration(migrations.Migration): operations = [ migrations.AddField( model_name="contractdocumentcategory", - name="restrict_document_access_view", + name="document_access_view", field=models.ManyToManyField( blank=True, - help_text="Only selected group's users will be restricted from document access", + help_text="Only selected group's users can access the document", + limit_choices_to={ + "name__in": ["Staff", "Staff Admin", "Finance", "Contracting"] + }, related_name="contract_document_category", to="auth.group", - verbose_name="Restrict document access for groups", + verbose_name="Allow document access for groups", ), ), ] diff --git a/hypha/apply/projects/migrations/0089_auto_20240923_1154.py b/hypha/apply/projects/migrations/0089_auto_20240923_1154.py new file mode 100644 index 0000000000..4fcc9b1d81 --- /dev/null +++ b/hypha/apply/projects/migrations/0089_auto_20240923_1154.py @@ -0,0 +1,26 @@ +# Generated by Django 4.2.15 on 2024-09-23 11:54 + +from django.db import migrations +from hypha.apply.users.groups import GROUPS_ORG_FACULTY + + +def allow_internal_groups_to_contractdocumentcategory(apps, schema_editor): + ContractDocumentCategory = apps.get_model( + "application_projects", "ContractDocumentCategory" + ) + Group = apps.get_model("auth", "Group") + + groups = Group.objects.filter(name__in=GROUPS_ORG_FACULTY) + for category in ContractDocumentCategory.objects.all(): + # Add the default groups to the document_access_view field + category.document_access_view.add(*groups) + + +class Migration(migrations.Migration): + dependencies = [ + ("application_projects", "0088_contractdocumentcategory_document_access_view"), + ] + + operations = [ + migrations.RunPython(allow_internal_groups_to_contractdocumentcategory) + ] diff --git a/hypha/apply/projects/models/project.py b/hypha/apply/projects/models/project.py index cbf2e81505..e45e3dc129 100644 --- a/hypha/apply/projects/models/project.py +++ b/hypha/apply/projects/models/project.py @@ -26,8 +26,10 @@ from hypha.apply.funds.models.mixins import AccessFormData from hypha.apply.stream_forms.files import StreamFieldDataEncoder from hypha.apply.stream_forms.models import BaseStreamForm +from hypha.apply.users.groups import GROUPS_ORG_FACULTY from hypha.apply.utils.storage import PrivateStorage +from ..admin_forms import ContractDocumentCategoryAdminForm from ..blocks import ProjectFormCustomFormFieldsBlock logger = logging.getLogger(__name__) @@ -727,12 +729,11 @@ class Meta: class ContractDocumentCategory(models.Model): name = models.CharField(max_length=254) recommended_minimum = models.PositiveIntegerField(null=True, blank=True) - restrict_document_access_view = models.ManyToManyField( + document_access_view = models.ManyToManyField( Group, - verbose_name=_("Restrict document access for groups"), - help_text=_( - "Only selected group's users will be restricted from document access" - ), + limit_choices_to={"name__in": GROUPS_ORG_FACULTY}, + verbose_name=_("Allow document access for groups"), + help_text=_("Only selected group's users can access the document"), related_name="contract_document_category", blank=True, ) @@ -754,12 +755,12 @@ class Meta: panels = [ FieldPanel("name"), FieldPanel("required"), - FieldPanel( - "restrict_document_access_view", widget=forms.CheckboxSelectMultiple - ), + FieldPanel("document_access_view", widget=forms.CheckboxSelectMultiple), FieldPanel("template"), ] + base_form_class = ContractDocumentCategoryAdminForm + class Deliverable(models.Model): external_id = models.CharField( diff --git a/hypha/apply/projects/permissions.py b/hypha/apply/projects/permissions.py index f0cb7b95ee..4c50fabc3b 100644 --- a/hypha/apply/projects/permissions.py +++ b/hypha/apply/projects/permissions.py @@ -2,6 +2,7 @@ from django.core.exceptions import PermissionDenied from hypha.apply.activity.adapters.utils import get_users_for_groups +from hypha.apply.users.models import User from .models.project import ( CLOSING, @@ -365,20 +366,13 @@ def can_access_project(user, project): def can_view_contract_category_documents(user, project, **kwargs): - from hypha.apply.activity.adapters.utils import get_users_for_groups - contract_category = kwargs.get("contract_category") if not contract_category: return False, "Contract Category is required" - restricted_group_users = get_users_for_groups( - list(contract_category.restrict_document_access_view.all()) + allowed_group_users = User.objects.filter( + groups__name__in=list(contract_category.document_access_view.all()) ) - if restricted_group_users and user in restricted_group_users: - return False, "Forbidden Error" - if user.is_apply_staff or user.is_contracting: - return True, "Access allowed" - - if user == project.user: + if allowed_group_users and user in allowed_group_users: return True, "Access allowed" return False, "Forbidden Error" From 33457696aab1dddbf47d637dc5457e54801bc810 Mon Sep 17 00:00:00 2001 From: sandeepsajan0 Date: Fri, 18 Oct 2024 20:04:34 +0530 Subject: [PATCH 3/5] Resolved migration conflicts --- ... => 0089_contractdocumentcategory_document_access_view.py} | 4 ++-- ...{0089_auto_20240923_1154.py => 0090_auto_20241018_1430.py} | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) rename hypha/apply/projects/migrations/{0088_contractdocumentcategory_document_access_view.py => 0089_contractdocumentcategory_document_access_view.py} (85%) rename hypha/apply/projects/migrations/{0089_auto_20240923_1154.py => 0090_auto_20241018_1430.py} (87%) diff --git a/hypha/apply/projects/migrations/0088_contractdocumentcategory_document_access_view.py b/hypha/apply/projects/migrations/0089_contractdocumentcategory_document_access_view.py similarity index 85% rename from hypha/apply/projects/migrations/0088_contractdocumentcategory_document_access_view.py rename to hypha/apply/projects/migrations/0089_contractdocumentcategory_document_access_view.py index cce2afb10b..bb80385aa6 100644 --- a/hypha/apply/projects/migrations/0088_contractdocumentcategory_document_access_view.py +++ b/hypha/apply/projects/migrations/0089_contractdocumentcategory_document_access_view.py @@ -1,4 +1,4 @@ -# Generated by Django 4.2.15 on 2024-09-23 11:16 +# Generated by Django 4.2.16 on 2024-10-18 14:29 from django.db import migrations, models @@ -6,7 +6,7 @@ class Migration(migrations.Migration): dependencies = [ ("auth", "0012_alter_user_first_name_max_length"), - ("application_projects", "0087_alter_pafreviewersrole_user_roles"), + ("application_projects", "0088_remove_duediligencedocument_vendor_and_more"), ] operations = [ diff --git a/hypha/apply/projects/migrations/0089_auto_20240923_1154.py b/hypha/apply/projects/migrations/0090_auto_20241018_1430.py similarity index 87% rename from hypha/apply/projects/migrations/0089_auto_20240923_1154.py rename to hypha/apply/projects/migrations/0090_auto_20241018_1430.py index 4fcc9b1d81..7efc5bc6ae 100644 --- a/hypha/apply/projects/migrations/0089_auto_20240923_1154.py +++ b/hypha/apply/projects/migrations/0090_auto_20241018_1430.py @@ -1,4 +1,4 @@ -# Generated by Django 4.2.15 on 2024-09-23 11:54 +# Generated by Django 4.2.16 on 2024-10-18 14:30 from django.db import migrations from hypha.apply.users.groups import GROUPS_ORG_FACULTY @@ -18,7 +18,7 @@ def allow_internal_groups_to_contractdocumentcategory(apps, schema_editor): class Migration(migrations.Migration): dependencies = [ - ("application_projects", "0088_contractdocumentcategory_document_access_view"), + ("application_projects", "0089_contractdocumentcategory_document_access_view"), ] operations = [ From dd1666bf5fce67ba0d7cdb7839def1e4457a2a80 Mon Sep 17 00:00:00 2001 From: Fredrik Jonsson Date: Fri, 1 Nov 2024 17:33:10 +0100 Subject: [PATCH 4/5] Fix migrations after rebase. --- .../migrations/0090_auto_20241018_1430.py | 26 ------------------- ...tdocumentcategory_document_access_view.py} | 18 +++++++++++-- 2 files changed, 16 insertions(+), 28 deletions(-) delete mode 100644 hypha/apply/projects/migrations/0090_auto_20241018_1430.py rename hypha/apply/projects/migrations/{0089_contractdocumentcategory_document_access_view.py => 0090_contractdocumentcategory_document_access_view.py} (51%) diff --git a/hypha/apply/projects/migrations/0090_auto_20241018_1430.py b/hypha/apply/projects/migrations/0090_auto_20241018_1430.py deleted file mode 100644 index 7efc5bc6ae..0000000000 --- a/hypha/apply/projects/migrations/0090_auto_20241018_1430.py +++ /dev/null @@ -1,26 +0,0 @@ -# Generated by Django 4.2.16 on 2024-10-18 14:30 - -from django.db import migrations -from hypha.apply.users.groups import GROUPS_ORG_FACULTY - - -def allow_internal_groups_to_contractdocumentcategory(apps, schema_editor): - ContractDocumentCategory = apps.get_model( - "application_projects", "ContractDocumentCategory" - ) - Group = apps.get_model("auth", "Group") - - groups = Group.objects.filter(name__in=GROUPS_ORG_FACULTY) - for category in ContractDocumentCategory.objects.all(): - # Add the default groups to the document_access_view field - category.document_access_view.add(*groups) - - -class Migration(migrations.Migration): - dependencies = [ - ("application_projects", "0089_contractdocumentcategory_document_access_view"), - ] - - operations = [ - migrations.RunPython(allow_internal_groups_to_contractdocumentcategory) - ] diff --git a/hypha/apply/projects/migrations/0089_contractdocumentcategory_document_access_view.py b/hypha/apply/projects/migrations/0090_contractdocumentcategory_document_access_view.py similarity index 51% rename from hypha/apply/projects/migrations/0089_contractdocumentcategory_document_access_view.py rename to hypha/apply/projects/migrations/0090_contractdocumentcategory_document_access_view.py index bb80385aa6..81e4b5b90b 100644 --- a/hypha/apply/projects/migrations/0089_contractdocumentcategory_document_access_view.py +++ b/hypha/apply/projects/migrations/0090_contractdocumentcategory_document_access_view.py @@ -1,12 +1,25 @@ -# Generated by Django 4.2.16 on 2024-10-18 14:29 +# Generated by Django 4.2.16 on 2024-11-01 16:27 from django.db import migrations, models +from hypha.apply.users.groups import GROUPS_ORG_FACULTY + + +def allow_internal_groups_to_contractdocumentcategory(apps, schema_editor): + ContractDocumentCategory = apps.get_model( + "application_projects", "ContractDocumentCategory" + ) + Group = apps.get_model("auth", "Group") + + groups = Group.objects.filter(name__in=GROUPS_ORG_FACULTY) + for category in ContractDocumentCategory.objects.all(): + # Add the default groups to the document_access_view field + category.document_access_view.add(*groups) class Migration(migrations.Migration): dependencies = [ ("auth", "0012_alter_user_first_name_max_length"), - ("application_projects", "0088_remove_duediligencedocument_vendor_and_more"), + ("application_projects", "0089_projectreminderfrequency"), ] operations = [ @@ -24,4 +37,5 @@ class Migration(migrations.Migration): verbose_name="Allow document access for groups", ), ), + migrations.RunPython(allow_internal_groups_to_contractdocumentcategory), ] From e0ef1e53e9a2aae287d636ebbe3f539487e47a76 Mon Sep 17 00:00:00 2001 From: Fredrik Jonsson Date: Thu, 7 Nov 2024 13:55:40 +0100 Subject: [PATCH 5/5] Groups are now roles. --- hypha/apply/projects/admin_forms.py | 6 +++--- .../0090_contractdocumentcategory_document_access_view.py | 4 ++-- hypha/apply/projects/models/project.py | 4 ++-- hypha/apply/users/roles.py | 7 +++++++ 4 files changed, 14 insertions(+), 7 deletions(-) diff --git a/hypha/apply/projects/admin_forms.py b/hypha/apply/projects/admin_forms.py index 1e47e69c16..d80336410e 100644 --- a/hypha/apply/projects/admin_forms.py +++ b/hypha/apply/projects/admin_forms.py @@ -1,7 +1,7 @@ +from django.contrib.auth.models import Group from wagtail.admin.forms import WagtailAdminModelForm -from hypha.apply.users.groups import GROUPS_ORG_FACULTY -from hypha.apply.users.models import Group +from hypha.apply.users.roles import ROLES_ORG_FACULTY class ContractDocumentCategoryAdminForm(WagtailAdminModelForm): @@ -9,7 +9,7 @@ def __init__(self, *args, **kwargs): super().__init__(*args, **kwargs) if not self.instance.pk: # New instance, not saved yet - default_groups = Group.objects.filter(name__in=GROUPS_ORG_FACULTY) + default_groups = Group.objects.filter(name__in=ROLES_ORG_FACULTY) self.fields["document_access_view"].queryset = default_groups self.fields["document_access_view"].initial = default_groups.values_list( "pk", flat=True diff --git a/hypha/apply/projects/migrations/0090_contractdocumentcategory_document_access_view.py b/hypha/apply/projects/migrations/0090_contractdocumentcategory_document_access_view.py index 81e4b5b90b..5953c41d39 100644 --- a/hypha/apply/projects/migrations/0090_contractdocumentcategory_document_access_view.py +++ b/hypha/apply/projects/migrations/0090_contractdocumentcategory_document_access_view.py @@ -1,7 +1,7 @@ # Generated by Django 4.2.16 on 2024-11-01 16:27 from django.db import migrations, models -from hypha.apply.users.groups import GROUPS_ORG_FACULTY +from hypha.apply.users.roles import ROLES_ORG_FACULTY def allow_internal_groups_to_contractdocumentcategory(apps, schema_editor): @@ -10,7 +10,7 @@ def allow_internal_groups_to_contractdocumentcategory(apps, schema_editor): ) Group = apps.get_model("auth", "Group") - groups = Group.objects.filter(name__in=GROUPS_ORG_FACULTY) + groups = Group.objects.filter(name__in=ROLES_ORG_FACULTY) for category in ContractDocumentCategory.objects.all(): # Add the default groups to the document_access_view field category.document_access_view.add(*groups) diff --git a/hypha/apply/projects/models/project.py b/hypha/apply/projects/models/project.py index e45e3dc129..5447aa360a 100644 --- a/hypha/apply/projects/models/project.py +++ b/hypha/apply/projects/models/project.py @@ -26,7 +26,7 @@ from hypha.apply.funds.models.mixins import AccessFormData from hypha.apply.stream_forms.files import StreamFieldDataEncoder from hypha.apply.stream_forms.models import BaseStreamForm -from hypha.apply.users.groups import GROUPS_ORG_FACULTY +from hypha.apply.users.roles import ROLES_ORG_FACULTY from hypha.apply.utils.storage import PrivateStorage from ..admin_forms import ContractDocumentCategoryAdminForm @@ -731,7 +731,7 @@ class ContractDocumentCategory(models.Model): recommended_minimum = models.PositiveIntegerField(null=True, blank=True) document_access_view = models.ManyToManyField( Group, - limit_choices_to={"name__in": GROUPS_ORG_FACULTY}, + limit_choices_to={"name__in": ROLES_ORG_FACULTY}, verbose_name=_("Allow document access for groups"), help_text=_("Only selected group's users can access the document"), related_name="contract_document_category", diff --git a/hypha/apply/users/roles.py b/hypha/apply/users/roles.py index d8760b0b6d..a1d632e052 100644 --- a/hypha/apply/users/roles.py +++ b/hypha/apply/users/roles.py @@ -12,6 +12,13 @@ FINANCE_GROUP_NAME = _("Finance") CONTRACTING_GROUP_NAME = _("Contracting") +ROLES_ORG_FACULTY = [ + STAFF_GROUP_NAME, + TEAMADMIN_GROUP_NAME, + FINANCE_GROUP_NAME, + CONTRACTING_GROUP_NAME, +] + # roles for the application # https://django-role-permissions.readthedocs.io/en/stable/roles.html