Check permissions and send mail if enabled

aleksis/core/forms.py

@@ -10,6 +10,7 @@ from django.utils.translation import gettext_lazy as _
 
 from django_select2.forms import ModelSelect2MultipleWidget, ModelSelect2Widget, Select2Widget
 from dynamic_preferences.forms import PreferenceForm
+from guardian.core import ObjectPermissionChecker
 from material import Fieldset, Layout, Row
 
 from .mixins import ExtensibleForm, SchoolTermRelatedExtensibleForm
@@ -137,6 +138,22 @@ class EditPersonForm(ExtensibleForm):
         required=False, label=_("New user"), help_text=_("Create a new account")
     )
 
+    def __init__(self, request: HttpRequest, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+
+        # Disable non-editable fields
+        person_fields = set([field.name for field in Person.syncable_fields()]).intersection(
+            set(self.fields)
+        )
+
+        if self.instance:
+            checker = ObjectPermissionChecker(request.user)
+            checker.prefetch_perms([self.instance])
+
+            for field in person_fields:
+                if not checker.has_perm(f"core.change_person_field_{field}", self.instance):
+                    self.fields[field].disabled = True
+
     def clean(self) -> None:
         # Use code implemented in dedicated form to verify user selection
         return PersonAccountForm.clean(self)

aleksis/core/templates/templated_email/person_changed.email

+{% load i18n %}
+
+{% block subject %}
+ {% blocktrans with person=person %}{{ person }} changed their data!{% endblocktrans %}
+{% endblock %}
+
+{% block plain %}
+ {% trans "Hello," %}
+
+ {% blocktrans with person=person %}
+   the person {{ person }} recently changed the following fields:
+ {% endblocktrans %}
+
+ {% for field in send_notification_fields %}
+  * {{ field }}
+ {% endfor %}
+{% endblock %}
+
+{% block html %}
+ <p>{% trans "Hello," %}</p>
+ <p>
+  {% blocktrans with person=person %}
+    the person {{ person }} recently changed the following fields:
+  {% endblocktrans %}
+ </p>
+
+ <ul>
+  {% for field in send_notification_fields %}
+   <li>{{ field }}</li>
+  {% endfor %}
+ </ul>
+{% endblock %}

aleksis/core/views.py

@@ -28,6 +28,7 @@ from health_check.views import MainView
 from reversion import set_user
 from reversion.views import RevisionMixin
 from rules.contrib.views import PermissionRequiredMixin, permission_required
+from templated_email import send_templated_mail
 
 from aleksis.core.data_checks import DataCheckRegistry, check_data
 
@@ -77,7 +78,7 @@ from .tables import (
 )
 from .util import messages
 from .util.apps import AppConfig
-from .util.core_helpers import has_person, objectgetter_optional
+from .util.core_helpers import get_site_preferences, has_person, objectgetter_optional
 from .util.forms import PreferenceLayout
 from .util.pdf import render_pdf
 
@@ -352,16 +353,39 @@ def edit_person(request: HttpRequest, id_: Optional[int] = None) -> HttpResponse
     if id_:
         # Edit form for existing group
         edit_person_form = EditPersonForm(
-            request.POST or None, request.FILES or None, instance=person
+            request, request.POST or None, request.FILES or None, instance=person
         )
     else:
         # Empty form to create a new group
         if request.user.has_perm("core.create_person"):
-            edit_person_form = EditPersonForm(request.POST or None, request.FILES or None)
+            edit_person_form = EditPersonForm(request, request.POST or None, request.FILES or None)
         else:
             raise PermissionDenied()
     if request.method == "POST":
         if edit_person_form.is_valid():
+            if person and person == request.user.person:
+                # Check if user edited non-editable field
+                notification_fields = get_site_preferences()[
+                    "account__notification_on_person_change"
+                ]
+                send_notification_fields = set(edit_person_form.changed_data).intersection(
+                    set(notification_fields)
+                )
+                context["send_notification_fields"] = send_notification_fields
+                if send_notification_fields:
+                    context["send_notification_fields"] = send_notification_fields
+                    send_templated_mail(
+                        template_name="person_changed",
+                        from_email=request.user.person.mail_sender_via,
+                        headers={
+                            "Reply-To": request.user.person.mail_sender,
+                            "Sender": request.user.person.mail_sender,
+                        },
+                        recipient_list=[
+                            get_site_preferences()["account__person_change_notification_contact"]
+                        ],
+                        context=context,
+                    )
             with reversion.create_revision():
                 set_user(request.user)
                 edit_person_form.save(commit=True)