Hide action that curators cannot do if they are not editor

eb85c9aa · Bryan BRANCOTTE · 274742d8 · eb85c9aa · eb85c9aa · eb85c9aa
Commit eb85c9aa authored 3 years ago by Bryan BRANCOTTE
--- a/src/viralhostrange/viralhostrangedb/static/css/base.css
+++ b/src/viralhostrange/viralhostrangedb/static/css/base.css
@@ -170,4 +170,7 @@ a[data-toggle=collapse].card-header  {
 }
 a[data-toggle=collapse].card-header>:not(i)  {
    color: #212529;
+}
+.not-allowed {
+     cursor: not-allowed !important;
 }
\ No newline at end of file
--- a/src/viralhostrange/viralhostrangedb/templates/viralhostrangedb/datasource_detail.html
+++ b/src/viralhostrange/viralhostrangedb/templates/viralhostrangedb/datasource_detail.html
@@ -150,19 +150,11 @@
                </tbody>
            </table>
            <div class="btn-group  d-flex" role="group" aria-label="Get content">
-                {% if request|can_edit:object %}
-                <a href="{% url 'viralhostrangedb:data-source-data-update' pk=object.pk%}" role="button"
-                   class="btn btn-outline-primary"><i class="fa fa-upload"></i> {%trans "Update content" %}</a>
-                {%endif%}
                {% if has_responses %}
                <a href="{% url 'viralhostrangedb:data-source-download' pk=object.pk%}" role="button"
                   class="float-right btn btn-outline-primary">
                    <i class="fa fa-download"></i> {%trans "Download it" %}
                </a>
-                <a href="http://hub.pages.pasteur.fr/viralhostrangedb/compatible_file.html" target="_blank" style="flex-grow:0"
-                   class="float-right btn btn-outline-primary">
-                    <i class="fa fa-question-circle"></i>
-                </a>
                {%else%}
                <a href="{% url 'viralhostrangedb:data-source-download' pk=object.pk%}" role="button"
                   class="float-right btn btn-primary">
@@ -173,6 +165,14 @@
                    <i class="fa fa-question-circle"></i> {%trans "How to fill it" %}
                </a>
                {%endif%}
+                {% if request|is_editor_or_owner_of_ds:object %}
+                <a href="{% url 'viralhostrangedb:data-source-data-update' pk=object.pk%}" role="button"
+                   class="btn btn-outline-primary"><i class="fa fa-upload"></i> {%trans "Update content" %}</a>
+                <a href="http://hub.pages.pasteur.fr/viralhostrangedb/compatible_file.html" target="_blank" style="flex-grow:0"
+                   class="float-right btn btn-outline-primary">
+                    <i class="fa fa-question-circle"></i>
+                </a>
+                {%endif%}
            </div>

        </div>
@@ -221,7 +221,7 @@
    <div class="card">
        <div class="card-header">
            {%trans "Viruses"%}
-            {% if request|can_edit:object %}
+            {% if request|is_editor_or_owner_of_ds:object %}
            <a class="btn btn-xs btn-outline-secondary float-right"
               href="{% url 'viralhostrangedb:data-source-virus-delete' pk=object.pk%}"
               role="button"
@@ -229,6 +229,8 @@
            >
                <i class="fa fa-trash"></i> {%trans "Delete ..." %}
            </a>
+            {%endif%}
+            {% if request|can_edit:object %}
            <a class="btn btn-xs btn-outline-secondary float-right"
               href="{% url 'viralhostrangedb:data-source-virus-update' pk=object.pk%}"
               role="button"
@@ -249,7 +251,7 @@
    <div class="card">
        <div class="card-header">
            {%trans "Hosts"%}
-            {% if request|can_edit:object %}
+            {% if request|is_editor_or_owner_of_ds:object %}
            <a class="btn btn-xs btn-outline-secondary float-right"
               href="{% url 'viralhostrangedb:data-source-host-delete' pk=object.pk%}"
               role="button"
@@ -257,6 +259,8 @@
            >
                <i class="fa fa-trash"></i> {%trans "Delete ..." %}
            </a>
+            {%endif%}
+            {% if request|can_edit:object %}
            <a class="btn btn-xs btn-outline-secondary float-right"
               href="{% url 'viralhostrangedb:data-source-host-update' pk=object.pk%}"
               role="button"

--- a/src/viralhostrange/viralhostrangedb/templates/viralhostrangedb/datasource_history.html
+++ b/src/viralhostrange/viralhostrangedb/templates/viralhostrangedb/datasource_history.html
@@ -29,20 +29,33 @@
            <td>{{o.action_time}}</td>
            <td>{{o.user.last_name|upper}} {{o.user.first_name|title}}</td>
            <td>{{o|get_change_message_with_action}}</td>
+            {%with request|is_editor_or_owner_of_ds:o.object_id as can_restore %}
            <td class="text-center">
                {% if o|should_have_backup_file %}
                    {% if o|has_backup_file %}
                        {% if forloop.first %}
                            <i>{%trans 'Current version' %}</i>
                        {% else %}
+                            {%if can_restore or o.user_id is request.user.id%}
                            <a href="{% url 'viralhostrangedb:data-source-history-download' pk=o.object_id log_pk=o.pk%}"
                               class="btn btn-xs btn-outline-primary">
                                <i class="fa fa-download" aria-hidden="true"></i> {%trans 'Download saved data'%}
                            </a>
+                            {%else%}
+                            <button disabled="disabled" class="btn btn-xs btn-outline-primary disabled not-allowed">
+                                <i class="fa fa-download" aria-hidden="true"></i> {%trans 'Download saved data'%}
+                            </button>
+                            {%endif%}
+                            {%if can_restore%}
                            <a href="{% url 'viralhostrangedb:data-source-history-restoration' pk=o.object_id log_pk=o.pk%}"
                               class="btn btn-xs btn-outline-danger">
                                <i class="fa fa-undo" aria-hidden="true"></i> {%trans 'Restore data at this point' %}
                            </a>
+                           {%else%}
+                            <button disabled="disabled" class="btn btn-xs btn-outline-danger disabled not-allowed">
+                                <i class="fa fa-undo" aria-hidden="true"></i> {%trans 'Restore data at this point'%}
+                            </button>
+                            {%endif%}
                        {%endif%}
                    {% else %}
                        <i>{%trans 'Backup missing' %}</i>
@@ -56,6 +69,7 @@
                <i>{%trans 'No backup created' %}</i>
                {%endif%}
            </td>
+            {%endwith %}
        </tr>
        {%endfor%}
        </tbody>

--- a/src/viralhostrange/viralhostrangedb/templatetags/viralhostrange_tags.py
+++ b/src/viralhostrange/viralhostrangedb/templatetags/viralhostrange_tags.py
@@ -68,6 +68,28 @@ def can_edit(user, obj):
    return False


+@register.filter
+def is_editor_or_owner_of_ds(user, obj_pk):
+    # used to access datasource history, should follow get_log_entry_with_permission_check_or_404
+    # if user is a WSGIRequest, get the attr user
+    if hasattr(obj_pk,'pk'):
+        obj_pk=obj_pk.pk
+    user = getattr(user, "user", user)
+    if not user.is_authenticated:
+        return False
+    try:
+        return mixins.only_editor_or_owned_queryset_filter(
+            self=None,
+            request=None,
+            queryset=models.DataSource.objects.filter(pk=obj_pk),
+            user=user,
+        ).exists()
+    except Exception as e:
+        if settings.DEBUG:
+            raise e
+    return False
+
+
 @register.filter
 def get_curators_list(_):
    return business_process.get_curators().order_by("last_name", "first_name")