don't show accessrestrictiongroups to select that the user can't grant

2024-12-16 10:44:48 +00:00 · 2024-12-16 10:44:48 +00:00 · 13cf207ee6
commit 13cf207ee6
parent 6b494810cc
2 changed files with 10 additions and 13 deletions
--- a/src/c3nav/control/forms.py
+++ b/src/c3nav/control/forms.py
@ -66,9 +66,9 @@ class AccessPermissionForm(Form):

        # get access permission groups
        if request:
-            groups = AccessRestrictionGroup.qs_for_request(request)
+            groups = AccessRestrictionGroup.qs_for_request(request, can_grant=True)
        else:
-            groups = AccessRestrictionGroup.qs_for_user(author)
+            groups = AccessRestrictionGroup.qs_for_user(author, can_grant=True)
        groups = groups.prefetch_related(
            Prefetch('members', AccessRestriction.objects.only('pk'))
        )
@ -99,9 +99,6 @@ class AccessPermissionForm(Form):
            "all": tuple(('g%d' % pk) for pk in self.group_contents.keys()) + tuple(restrictions_not_in_group),
        })

-        from pprint import pprint
-        pprint(self.access_restriction_choices)
-
        # construct choice field for access permissions
        choices = [('', _('choose permissions…')),  # noqa
                   ('all', ngettext_lazy('everything possible (%d permission)',
--- a/src/c3nav/mapdata/models/access.py
+++ b/src/c3nav/mapdata/models/access.py
@ -68,29 +68,29 @@ class AccessRestrictionGroup(TitledMixin, models.Model):
        default_related_name = 'accessrestrictiongroups'

    @classmethod
-    def qs_for_request(cls, request):
-        return cls.objects.filter(cls.q_for_request(request))
+    def qs_for_request(cls, request, can_grant=None):
+        return cls.objects.filter(cls.q_for_request(request, can_grant=can_grant))

    @classmethod
-    def q_for_request(cls, request):
+    def q_for_request(cls, request, can_grant=None):
        if request.user.is_authenticated and request.user.is_superuser:
            return Q()
        all_permissions = AccessRestriction.get_all()
-        permissions = AccessPermission.get_for_request(request)
+        permissions = AccessPermission.get_for_request(request, can_grant=can_grant)
        # now we filter out groups where the user doesn't have a permission for all members
        filter_perms = all_permissions - permissions
        return ~Q(members__pk__in=filter_perms)

    @classmethod
-    def qs_for_user(cls, user):
-        return cls.objects.filter(cls.q_for_user(user))
+    def qs_for_user(cls, user, can_grant=None):
+        return cls.objects.filter(cls.q_for_user(user, can_grant=can_grant))

    @classmethod
-    def q_for_user(cls, user):
+    def q_for_user(cls, user, can_grant=None):
        if user.is_authenticated and user.is_superuser:
            return Q()
        all_permissions = AccessRestriction.get_all()
-        permissions = AccessPermission.get_for_user(user)
+        permissions = AccessPermission.get_for_user(user, can_grant=can_grant)
        # now we filter out groups where the user doesn't have a permission for all members
        filter_perms = all_permissions - permissions
        return ~Q(members__pk__in=filter_perms)