From e12f4f1dd94ee5f0cc1c91ee4ec79b7377291365 Mon Sep 17 00:00:00 2001
From: Jonathan Weth <git@jonathanweth.de>
Date: Mon, 25 Oct 2021 19:33:15 +0200
Subject: [PATCH] Fix permission checking for person form so users can (only)
 edit the configured fields

(cherry picked from commit 46c4dd04ce73902c404a22bb9adb9315b0e6fc0f)
---
 aleksis/core/forms.py | 21 ++++++++++++---------
 aleksis/core/rules.py | 13 -------------
 2 files changed, 12 insertions(+), 22 deletions(-)

diff --git a/aleksis/core/forms.py b/aleksis/core/forms.py
index 642364b1b..f6e0dcd98 100644
--- a/aleksis/core/forms.py
+++ b/aleksis/core/forms.py
@@ -146,17 +146,20 @@ class EditPersonForm(ExtensibleForm):
         super().__init__(*args, **kwargs)
 
         # Disable non-editable fields
-        person_fields = set([field.name for field in Person.syncable_fields()]).intersection(
-            set(self.fields)
-        )
+        allowed_person_fields = get_site_preferences()["account__editable_fields_person"]
 
-        if self.instance:
-            checker = ObjectPermissionChecker(request.user)
-            checker.prefetch_perms([self.instance])
+        if (
+            request
+            and self.instance
+            and not request.user.has_perm("core.change_person", self.instance)
+        ):
+            # First, disable all fields
+            for field in self.fields:
+                self.fields[field].disabled = True
 
-            for field in person_fields:
-                if not checker.has_perm(f"core.change_person_field_{field}", self.instance):
-                    self.fields[field].disabled = True
+            # Then, activate allowed fields
+            for field in allowed_person_fields:
+                self.fields[field].disabled = False
 
     def clean(self) -> None:
         # Use code implemented in dedicated form to verify user selection
diff --git a/aleksis/core/rules.py b/aleksis/core/rules.py
index 9b8f7cc1f..99c049362 100644
--- a/aleksis/core/rules.py
+++ b/aleksis/core/rules.py
@@ -2,7 +2,6 @@ import rules
 
 from .models import AdditionalField, Announcement, Group, GroupType, Person
 from .util.predicates import (
-    contains_site_preference_value,
     has_any_object,
     has_global_perm,
     has_object_perm,
@@ -350,15 +349,3 @@ rules.add_perm("core.upload_files_ckeditor_rule", upload_files_ckeditor_predicat
 
 test_pdf_generation_predicate = has_person & has_global_perm("core.test_pdf")
 rules.add_perm("core.test_pdf_rule", test_pdf_generation_predicate)
-
-# Generate rules for syncable fields
-for field in Person._meta.fields:
-    perm = (
-        has_global_perm("core.edit_person")
-        | has_object_perm("core.edit_person")
-        | (
-            is_current_person
-            & contains_site_preference_value("account", "editable_fields_person", field.name)
-        )
-    )
-    rules.add_perm(f"core.change_person_field_{field.name}_rule", perm)
-- 
GitLab