From a6400c8968a318b3101c0ffef1ab7d138d694b09 Mon Sep 17 00:00:00 2001
From: Jonathan Weth <git@jonathanweth.de>
Date: Wed, 14 Jul 2021 12:49:05 +0200
Subject: [PATCH] Filter selectable groups in upload form by permissions

---
 aleksis/apps/resint/forms.py | 9 +++++++++
 aleksis/apps/resint/rules.py | 2 +-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/aleksis/apps/resint/forms.py b/aleksis/apps/resint/forms.py
index 5a0ae98..147991e 100644
--- a/aleksis/apps/resint/forms.py
+++ b/aleksis/apps/resint/forms.py
@@ -1,5 +1,7 @@
 from django import forms
+from django.http import HttpRequest
 
+from guardian.shortcuts import get_objects_for_user
 from material import Layout, Row
 
 from .models import Poster, PosterGroup
@@ -35,3 +37,10 @@ class PosterUploadForm(forms.ModelForm):
     class Meta:
         model = Poster
         fields = ["group", "week", "year", "pdf"]
+
+    def __init__(self, request: HttpRequest, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        qs = PosterGroup.objects.all()
+        if not request.user.has_perm("resint.view_postergroup"):
+            qs = get_objects_for_user(request.user, "resint.add_poster_to_group", qs)
+        self.fields["group"].queryset = qs
diff --git a/aleksis/apps/resint/rules.py b/aleksis/apps/resint/rules.py
index 2560ef9..ea35902 100644
--- a/aleksis/apps/resint/rules.py
+++ b/aleksis/apps/resint/rules.py
@@ -75,7 +75,7 @@ add_perm("resint.view_posters_rule", view_posters_predicate)
 # Upload poster
 upload_poster_predicate = view_posters_predicate & (
     has_global_perm("resint.add_poster") | has_any_object("resint.add_poster_to_group", PosterGroup)
-)  # FIXME FIlter on form
+)
 add_perm("resint.upload_poster_rule", upload_poster_predicate)
 
 # Edit poster
-- 
GitLab