Merged in [19254], [19256], [19258], [19259] from rjsparks@nostrum.com:\n Improvements to group-role authorization:\n Show groupman_authroles in the GroupFeatures admin list.\n Rename ietf.group.utils.can_manage_group_type to can_manage_all_groups_of_type to improve code readability where it is used.\n Changed the signature of can_manage_all_groups_of_type to only take a type_id. Removed the logic that tried to distinguish permissions for teams by parent - that should be modeled as separate type_ids instead.\n Changed implementation of can_manage_all_groups_of_type to use GroupFeatures.groupman_authroles.

- Legacy-Id: 19273
Note: SVN reference [19254] has been migrated to Git commit c01fea3920

Note: SVN reference [19256] has been migrated to Git commit 7ede0942d0

Note: SVN reference [19258] has been migrated to Git commit 359889c1f7

Note: SVN reference [19259] has been migrated to Git commit a29480703f

ietf/doc/views_charter.py

@@ -34,7 +34,7 @@ from ietf.doc.utils_charter import ( historic_milestones_for_charter,
 from ietf.doc.mails import email_state_changed, email_charter_internal_review
 from ietf.group.mails import email_admin_re_charter
 from ietf.group.models import Group, ChangeStateGroupEvent, MilestoneGroupEvent
-from ietf.group.utils import save_group_in_history, save_milestone_in_history, can_manage_group_type
+from ietf.group.utils import save_group_in_history, save_milestone_in_history, can_manage_all_groups_of_type
 from ietf.group.views import fill_in_charter_info
 from ietf.ietfauth.utils import has_role, role_required
 from ietf.name.models import GroupStateName
@@ -70,7 +70,7 @@ def change_state(request, name, option=None):
     charter = get_object_or_404(Document, type="charter", name=name)
     group = charter.group
 
-    if not can_manage_group_type(request.user, group):
+    if not can_manage_all_groups_of_type(request.user, group.type_id):
         permission_denied(request, "You don't have permission to access this view.")
 
     chartering_type = get_chartering_type(charter)
@@ -261,7 +261,7 @@ def change_title(request, name, option=None):
     logging the title as a comment."""
     charter = get_object_or_404(Document, type="charter", name=name)
     group = charter.group
-    if not can_manage_group_type(request.user, group):
+    if not can_manage_all_groups_of_type(request.user, group.type_id):
         permission_denied(request, "You don't have permission to access this view.")
     by = request.user.person
     if request.method == 'POST':
@@ -374,7 +374,7 @@ def submit(request, name, option=None):
         charter_canonical_name = name
         charter_rev = "00-00"
 
-    if not can_manage_group_type(request.user, group) or not group.features.has_chartering_process:
+    if not can_manage_all_groups_of_type(request.user, group.type_id) or not group.features.has_chartering_process:
         permission_denied(request, "You don't have permission to access this view.")
 
 

ietf/doc/views_doc.py

@@ -65,7 +65,7 @@ from ietf.doc.utils import (add_links_in_new_revision_events, augment_events_wit
     build_doc_supermeta_block, build_file_urls, update_documentauthors)
 from ietf.doc.utils_bofreq import bofreq_editors, bofreq_responsible
 from ietf.group.models import Role, Group
-from ietf.group.utils import can_manage_group_type, can_manage_materials, group_features_role_filter
+from ietf.group.utils import can_manage_all_groups_of_type, can_manage_materials, group_features_role_filter
 from ietf.ietfauth.utils import ( has_role, is_authorized_in_doc_stream, user_is_person,
     role_required, is_individual_draft_author)
 from ietf.name.models import StreamName, BallotPositionName
@@ -510,7 +510,7 @@ def document_main(request, name, rev=None):
         if chartering and not snapshot:
             milestones = doc.group.groupmilestone_set.filter(state="charter")
 
-        can_manage = can_manage_group_type(request.user, doc.group)
+        can_manage = can_manage_all_groups_of_type(request.user, doc.group.type_id)
 
         return render(request, "doc/document_charter.html",
                                   dict(doc=doc,

ietf/group/admin.py

@@ -194,6 +194,7 @@ class GroupFeaturesAdmin(admin.ModelAdmin):
         'admin_roles',
         'docman_roles',
         'groupman_roles',
+        'groupman_authroles',
         'matman_roles',
         'role_order',
     ]

ietf/group/milestones.py

@@ -16,7 +16,7 @@ from ietf.doc.models import DocEvent
 from ietf.doc.utils import get_chartering_type
 from ietf.doc.fields import SearchableDocumentsField
 from ietf.group.models import GroupMilestone, MilestoneGroupEvent
-from ietf.group.utils import (save_milestone_in_history, can_manage_group_type, can_manage_group,
+from ietf.group.utils import (save_milestone_in_history, can_manage_all_groups_of_type, can_manage_group,
                               milestone_reviewer_for_group_type, get_group_or_404, has_role)
 from ietf.name.models import GroupMilestoneStateName
 from ietf.group.mails import email_milestones_changed
@@ -112,7 +112,7 @@ def edit_milestones(request, acronym, group_type=None, milestone_set="current"):
     needs_review = False
     if can_manage_group(request.user, group):
         can_change_uses_milestone_dates = True
-        if not can_manage_group_type(request.user, group):
+        if not can_manage_all_groups_of_type(request.user, group.type_id):
             # The user is chair or similar, not AD:
             can_change_uses_milestone_dates = False
             if milestone_set == "current":

ietf/group/utils.py

@@ -105,32 +105,17 @@ def save_milestone_in_history(milestone):
 
     return h
 
-# TODO: rework this using features.groupman_authroles
-def can_manage_group_type(user, group, type_id=None):
+def can_manage_all_groups_of_type(user, type_id):
     if not user.is_authenticated:
         return False
-    if type_id is None:
-        type_id = group.type_id
     log.assertion("isinstance(type_id, (type(''), type(u'')))")
-    if type_id == "rg":
-        return has_role(user, ('IRTF Chair', 'Secretariat'))
-    elif type_id == "wg":
-        return has_role(user, ('Area Director', 'Secretariat'))
-    elif type_id == "team":
-        if group and group.is_decendant_of("ietf"):
-            return has_role(user, ('Area Director', 'Secretariat'))
-        elif group and group.is_decendant_of("irtf"):
-            return has_role(user, ('IRTF Chair', 'Secretariat'))
-    elif type_id == "program":
-        return has_role(user, ('IAB', 'Secretariat',))        
-    return has_role(user, ('Secretariat'))
+    return has_role(user, GroupFeatures.objects.get(type_id=type_id).groupman_authroles) 
 
 def can_manage_group(user, group):
     if not user.is_authenticated:
         return False
-    for authrole in group.features.groupman_authroles:
-        if has_role(user, authrole):
-            return True
+    if has_role(user, group.features.groupman_authroles):
+        return True
     return group.has_role(user, group.features.groupman_roles)
 
 def milestone_reviewer_for_group_type(group_type):
@@ -261,7 +246,7 @@ def construct_group_menu_context(request, group, selected, group_type, others):
     if group.features.customize_workflow and can_manage:
         actions.append(("Customize workflow", urlreverse("ietf.group.views.customize_workflow", kwargs=kwargs)))
 
-    if group.state_id in ("active", "dormant") and group.type_id in ["wg", "rg", ] and can_manage_group_type(request.user, group):
+    if group.state_id in ("active", "dormant") and group.type_id in ["wg", "rg", ] and can_manage_all_groups_of_type(request.user, group.type_id):
         actions.append(("Request closing group", urlreverse("ietf.group.views.conclude", kwargs=kwargs)))
 
     d = {

ietf/group/views.py

@@ -75,7 +75,7 @@ from ietf.group.forms import (GroupForm, StatusUpdateForm, ConcludeGroupForm, St
 from ietf.group.mails import email_admin_re_charter, email_personnel_change, email_comment
 from ietf.group.models import ( Group, Role, GroupEvent, GroupStateTransitions,
                               ChangeStateGroupEvent, GroupFeatures )
-from ietf.group.utils import (get_charter_text, can_manage_group_type, 
+from ietf.group.utils import (get_charter_text, can_manage_all_groups_of_type, 
                               milestone_reviewer_for_group_type, can_provide_status_update,
                               can_manage_materials, 
                               construct_group_menu_context, get_group_materials,
@@ -392,7 +392,7 @@ def chartering_groups(request):
 
     for t in group_types:
         t.chartering_groups = Group.objects.filter(type=t, charter__states__in=charter_states,state_id__in=('active','bof','proposed','dormant')).select_related("state", "charter").order_by("acronym")
-        t.can_manage = can_manage_group_type(request.user, None, t.slug)
+        t.can_manage = can_manage_all_groups_of_type(request.user, t.slug)
 
         for g in t.chartering_groups:
             g.chartering_type = get_chartering_type(g.charter)
@@ -523,7 +523,7 @@ def group_about(request, acronym, group_type=None):
     if group.state_id == "conclude":
         e = group.latest_event(type='closing_note')
 
-    can_manage = can_manage_group_type(request.user, group)
+    can_manage = can_manage_all_groups_of_type(request.user, group.type_id)
     charter_submit_url = "" 
     if group.features.has_chartering_process: 
         charter_submit_url = urlreverse('ietf.doc.views_charter.submit', kwargs={ "name": charter_name_for_group(group) }) 
@@ -1077,7 +1077,7 @@ def conclude(request, acronym, group_type=None):
     """Request the closing of group, prompting for instructions."""
     group = get_group_or_404(acronym, group_type)
 
-    if not can_manage_group_type(request.user, group):
+    if not can_manage_all_groups_of_type(request.user, group.type_id):
         permission_denied(request, "You don't have permission to access this view")
 
     if request.method == 'POST':