Fix permission checking for person form so users can (only) edit the configured fields

(cherry picked from commit 46c4dd04)

Fix permission checking for person form so users can (only) edit the configured fields
e12f4f1d · Jonathan Weth · b404c645 · e12f4f1d · e12f4f1d
Verified Commit e12f4f1d authored 3 years ago by Jonathan Weth
--- a/aleksis/core/forms.py
+++ b/aleksis/core/forms.py
@@ -146,17 +146,20 @@ class EditPersonForm(ExtensibleForm):
        super().__init__(*args, **kwargs)
        # Disable non-editable fields
-        person_fields = set([field.name for field in Person.syncable_fields()]).intersection(
+        allowed_person_fields = get_site_preferences()["account__editable_fields_person"]
-            set(self.fields)
-        )
-        if self.instance:
+        if (
-            checker = ObjectPermissionChecker(request.user)
+            request
-            checker.prefetch_perms([self.instance])
+            and self.instance
+            and not request.user.has_perm("core.change_person", self.instance)
+        ):
+            # First, disable all fields
+            for field in self.fields:
+                self.fields[field].disabled = True
-            for field in person_fields:
+            # Then, activate allowed fields
-                if not checker.has_perm(f"core.change_person_field_{field}", self.instance):
+            for field in allowed_person_fields:
-                    self.fields[field].disabled = True
+                self.fields[field].disabled = False
    def clean(self) -> None:
        # Use code implemented in dedicated form to verify user selection

--- a/aleksis/core/rules.py
+++ b/aleksis/core/rules.py
@@ -2,7 +2,6 @@ import rules
 from .models import AdditionalField, Announcement, Group, GroupType, Person
 from .util.predicates import (
-    contains_site_preference_value,
    has_any_object,
    has_global_perm,
    has_object_perm,
@@ -350,15 +349,3 @@ rules.add_perm("core.upload_files_ckeditor_rule", upload_files_ckeditor_predicat
 test_pdf_generation_predicate = has_person & has_global_perm("core.test_pdf")
 rules.add_perm("core.test_pdf_rule", test_pdf_generation_predicate)
-# Generate rules for syncable fields
-for field in Person._meta.fields:
-    perm = (
-        has_global_perm("core.edit_person")
-        | has_object_perm("core.edit_person")
-        | (
-            is_current_person
-            & contains_site_preference_value("account", "editable_fields_person", field.name)
-        )
-    )
-    rules.add_perm(f"core.change_person_field_{field.name}_rule", perm)