Check if the user has permission to edit a liaison. See ietf-tools#577

 - Legacy-Id: 2785

Author: emiliosanchez

ietf/liaisons/accounts.py

@@ -3,6 +3,7 @@
 
 LIAISON_EDIT_GROUPS = ['Secretariat']
 
+
 def get_ietf_chair():
     person = PersonOrOrgInfo.objects.filter(role=Role.IETF_CHAIR)
     return person and person[0] or None
@@ -96,3 +97,44 @@ def can_add_incoming_liaison(user):
 
 def can_add_liaison(user):
     return can_add_incoming_liaison(user) or can_add_outgoing_liaison(user)
+
+
+def is_sdo_manager_for_outgoing_liaison(person, liaison):
+    from ietf.liaisons.utils import IETFHM, SDOEntity
+    from ietf.liaisons.models import SDOs
+    from_entity = IETFHM.get_entity_by_key(liaison.from_raw_code)
+    sdo = None
+    if not from_entity:
+        sdo = SDOs.objects.get(sdo_name=liaison.from_body())
+    elif isinstance(from_entity, SDOEntity):
+        sdo = from_entity.obj
+    if sdo:
+        return bool(sdo.liaisonmanagers_set.filter(person=person))
+    return False
+
+
+def is_sdo_manager_for_incoming_liaison(person, liaison):
+    from ietf.liaisons.utils import IETFHM, SDOEntity
+    from ietf.liaisons.models import SDOs
+    to_entity = IETFHM.get_entity_by_key(liaison.to_raw_code)
+    sdo = None
+    if not to_entity:
+        try:
+            sdo = SDOs.objects.get(sdo_name=liaison.to_body)
+        except SDOs.DoesNotExist:
+            pass
+    elif isinstance(to_entity, SDOEntity):
+        sdo = to_entity.obj
+    if sdo:
+        return bool(sdo.liaisonmanagers_set.filter(person=person))
+    return False
+
+
+def can_edit_liaison(user, liaison):
+    if is_secretariat(user):
+        return True
+    person = get_person_for_user(user)
+    if is_sdo_liaison_manager(person):
+        return (is_sdo_manager_for_outgoing_liaison(person, liaison) or
+                is_sdo_manager_for_incoming_liaison(person, liaison))
+    return False

ietf/liaisons/utils.py

@@ -321,6 +321,8 @@ def __init__(self):
                         }
 
     def get_entity_by_key(self, entity_id):
+        if not entity_id:
+            return None
         id_list = entity_id.split('_', 1)
         key = id_list[0]
         pk = None

ietf/liaisons/views.py

@@ -6,15 +6,16 @@
 from django.core.urlresolvers import reverse
 from django.db.models import Q
 from django.forms.fields import email_re
-from django.http import HttpResponse, HttpResponseRedirect
+from django.http import HttpResponse, HttpResponseRedirect, HttpResponseForbidden
 from django.shortcuts import render_to_response, get_object_or_404
 from django.template import RequestContext
 from django.utils import simplejson
 from django.views.generic.list_detail import object_list, object_detail
 
 from ietf.liaisons.accounts import (get_person_for_user, can_add_outgoing_liaison,
                                     can_add_incoming_liaison, LIAISON_EDIT_GROUPS,
-                                    is_ietfchair, is_iabchair, is_iab_executive_director)
+                                    is_ietfchair, is_iabchair, is_iab_executive_director,
+                                    can_edit_liaison)
 from ietf.liaisons.decorators import can_submit_liaison
 from ietf.liaisons.forms import liaison_form_factory
 from ietf.liaisons.models import LiaisonDetail, OutgoingLiaisonApproval
@@ -210,7 +211,7 @@ def liaison_detail(request, object_id):
     can_edit = False
     user = request.user
     can_take_care = _can_take_care(liaison, user)
-    if user.is_authenticated() and user.groups.filter(name__in=LIAISON_EDIT_GROUPS):
+    if user.is_authenticated() and can_edit_liaison(user, liaison):
         can_edit = True
     if request.method == 'POST' and request.POST.get('do_taken_care', None) and can_take_care:
         liaison.taken_care = True
@@ -227,6 +228,9 @@ def liaison_detail(request, object_id):
 
 def liaison_edit(request, object_id):
     liaison = get_object_or_404(LiaisonDetail, pk=object_id)
+    user = request.user
+    if not (user.is_authenticated() and can_edit_liaison(user, liaison)):
+        return HttpResponseForbidden('You have no permission to edit this liaison')
     return add_liaison(request, liaison=liaison)
 
 def ajax_liaison_list(request):