From 8fb38b7a644969db094e96db4ccba90052fd799b Mon Sep 17 00:00:00 2001
From: Jonathan Weth <git@jonathanweth.de>
Date: Sat, 11 Apr 2020 17:22:47 +0200
Subject: [PATCH] Add permissions for groups view

---
 aleksis/core/menus.py |  4 +++-
 aleksis/core/rules.py | 16 ++++++++++++++--
 aleksis/core/views.py | 17 ++++++++---------
 3 files changed, 25 insertions(+), 12 deletions(-)

diff --git a/aleksis/core/menus.py b/aleksis/core/menus.py
index 911b5b32a..cbb53218b 100644
--- a/aleksis/core/menus.py
+++ b/aleksis/core/menus.py
@@ -138,7 +138,9 @@ MENUS = {
                     "name": _("Groups"),
                     "url": "groups",
                     "icon": "group",
-                    "validators": ["menu_generator.validators.is_authenticated"],
+                    "validators": [
+                        ("aleksis.core.util.predicates.permission_validator", "core.view_groups")
+                    ],
                 },
                 {
                     "name": _("Persons and accounts"),
diff --git a/aleksis/core/rules.py b/aleksis/core/rules.py
index f9b87f3d7..a1e950161 100644
--- a/aleksis/core/rules.py
+++ b/aleksis/core/rules.py
@@ -1,6 +1,6 @@
 from rules import add_perm, always_allow
 
-from aleksis.core.models import Person
+from aleksis.core.models import Person, Group
 from aleksis.core.util.predicates import (
     has_person_predicate,
     has_global_perm,
@@ -30,5 +30,17 @@ change_person_predicate = has_person_predicate & (
 )
 add_perm("core.change_person", change_person_predicate)
 
+# View groups
+view_groups_predicate = has_person_predicate & (
+    has_global_perm("core.view_group") | has_any_object("core.view_group", Group)
+)
+add_perm("core.view_groups", view_groups_predicate)
+
+# View group
+view_group_predicate = has_person_predicate &(
+    has_global_perm("core.view_group") | has_object_perm("core.view_group")
+)
+add_perm("core.view_group", view_group_predicate)
+
 # People menu (persons + objects)
-add_perm("core.view_people_menu", has_person_predicate & (view_persons_predicate))
+add_perm("core.view_people_menu", has_person_predicate & (view_persons_predicate | view_groups_predicate))
diff --git a/aleksis/core/views.py b/aleksis/core/views.py
index 61548dede..c927caa51 100644
--- a/aleksis/core/views.py
+++ b/aleksis/core/views.py
@@ -96,16 +96,15 @@ def person(request: HttpRequest, id_: Optional[int] = None) -> HttpResponse:
     return render(request, "core/person_full.html", context)
 
 
-@login_required
+def get_group_by_pk(request: HttpRequest, id_: int) -> Group:
+    return get_object_or_404(Group, pk=id_)
+
+
+@permission_required("core.view_group", fn=get_group_by_pk)
 def group(request: HttpRequest, id_: int) -> HttpResponse:
     context = {}
 
-    # Get group and check if it exist
-    try:
-        group = Group.objects.get(pk=id_)
-    except Group.DoesNotExist as e:
-        # Turn not-found object into a 404 error
-        raise Http404 from e
+    group = get_group_by_pk(request, id_)
 
     context["group"] = group
 
@@ -131,12 +130,12 @@ def group(request: HttpRequest, id_: int) -> HttpResponse:
     return render(request, "core/group_full.html", context)
 
 
-@login_required
+@permission_required("core.view_groups")
 def groups(request: HttpRequest) -> HttpResponse:
     context = {}
 
     # Get all groups
-    groups = Group.objects.all()
+    groups = get_objects_for_user(request.user, "core.view_group", Group)
 
     # Build table
     groups_table = GroupsTable(groups)
-- 
GitLab