Hide contracting category documents from restricted users

hypha/apply/projects/migrations/0088_contractdocumentcategory_restrict_document_access_view.py

@@ -0,0 +1,24 @@
+# Generated by Django 4.2.15 on 2024-09-17 04:02
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("auth", "0012_alter_user_first_name_max_length"),
+        ("application_projects", "0087_alter_pafreviewersrole_user_roles"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="contractdocumentcategory",
+            name="restrict_document_access_view",
+            field=models.ManyToManyField(
+                blank=True,
+                help_text="Only selected group's users will be restricted from document access",
+                related_name="contract_document_category",
+                to="auth.group",
+                verbose_name="Restrict document access for groups",
+            ),
+        ),
+    ]

hypha/apply/projects/models/project.py

@@ -741,6 +741,15 @@ class Meta:
 class ContractDocumentCategory(models.Model):
     name = models.CharField(max_length=254)
     recommended_minimum = models.PositiveIntegerField(null=True, blank=True)
+    restrict_document_access_view = models.ManyToManyField(
+        Group,
+        verbose_name=_("Restrict document access for groups"),
+        help_text=_(
+            "Only selected group's users will be restricted from document access"
+        ),
+        related_name="contract_document_category",
+        blank=True,
+    )
     required = models.BooleanField(default=True)
     template = models.FileField(
         upload_to=contract_document_template_path,
@@ -759,6 +768,9 @@ class Meta:
     panels = [
         FieldPanel("name"),
         FieldPanel("required"),
+        FieldPanel(
+            "restrict_document_access_view", widget=forms.CheckboxSelectMultiple
+        ),
         FieldPanel("template"),
     ]
 

hypha/apply/projects/permissions.py

@@ -364,6 +364,26 @@ def can_access_project(user, project):
     return False, "Forbidden Error"
 
 
+def can_view_contract_category_documents(user, project, **kwargs):
+    from hypha.apply.activity.adapters.utils import get_users_for_groups
+
+    contract_category = kwargs.get("contract_category")
+    if not contract_category:
+        return False, "Contract Category is required"
+    restricted_group_users = get_users_for_groups(
+        list(contract_category.restrict_document_access_view.all())
+    )
+    if restricted_group_users and user in restricted_group_users:
+        return False, "Forbidden Error"
+    if user.is_apply_staff or user.is_contracting:
+        return True, "Access allowed"
+
+    if user == project.user:
+        return True, "Access allowed"
+
+    return False, "Forbidden Error"
+
+
 def can_edit_paf(user, project):
     if no_pafreviewer_role() and project.status != COMPLETE:
         return True, "Paf is editable for active projects if no reviewer roles"
@@ -396,4 +416,5 @@ def can_edit_vendor_details(user, project):
     "project_access": can_access_project,
     "paf_edit": can_edit_paf,
     "vendor_edit": can_edit_vendor_details,
+    "view_contract_documents": can_view_contract_category_documents,
 }

hypha/apply/projects/templates/application_projects/includes/contracting_documents.html

@@ -177,7 +177,8 @@ <h5> {% trans "Are you sure you want to submit contracting documents?" %}</h5>
                                             </div>
                                         {% else %}
                                             {% contract_category_latest_file project document_category as latest_file %}
-                                            {% if latest_file %}
+                                            {% can_access_category_document project user document_category as have_view_access %}
+                                            {% if latest_file and have_view_access %}
                                                 <div class="docs-block__row-inner">
                                                     <a class="docs-block__icon-link" href="{% url 'apply:projects:contract_document' pk=object.pk file_pk=latest_file.pk %}" target="_blank">
                                                         {% heroicon_micro "eye" class="inline me-1 w-4 h-4" aria_hidden=true %}

hypha/apply/projects/templatetags/contract_tools.py

@@ -90,3 +90,15 @@ def can_update_contracting_documents(project, user):
     if user == project.user and not user.is_apply_staff and not user.is_contracting:
         return True
     return False
+
+
+@register.simple_tag
+def can_access_category_document(project, user, category):
+    permission, _ = has_permission(
+        "view_contract_documents",
+        user,
+        object=project,
+        contract_category=category,
+        raise_exception=False,
+    )
+    return permission

hypha/apply/projects/views/project.py

@@ -1545,28 +1545,26 @@ def test_func(self):
 
 
 @method_decorator(login_required, name="dispatch")
-class ContractDocumentPrivateMediaView(UserPassesTestMixin, PrivateMediaView):
+class ContractDocumentPrivateMediaView(PrivateMediaView):
     raise_exception = True
 
     def dispatch(self, *args, **kwargs):
         project_pk = self.kwargs["pk"]
         self.project = get_object_or_404(Project, pk=project_pk)
+        self.document = ContractPacketFile.objects.get(pk=kwargs["file_pk"])
+        permission, _ = has_permission(
+            "view_contract_documents",
+            self.request.user,
+            object=self.project,
+            contract_category=self.document.category,
+            raise_exception=True,
+        )
         return super().dispatch(*args, **kwargs)
 
     def get_media(self, *args, **kwargs):
-        document = ContractPacketFile.objects.get(pk=kwargs["file_pk"])
-        if document.project != self.project:
+        if self.document.project != self.project:
             raise Http404
-        return document.document
-
-    def test_func(self):
-        if self.request.user.is_apply_staff or self.request.user.is_contracting:
-            return True
-
-        if self.request.user == self.project.user:
-            return True
-
-        return False
+        return self.document.document
 
 
 # PROJECT FORM VIEWS