refactor sas moderation view permission

2026-03-13 15:15:03 +00:00 · 2026-02-21 18:33:55 +01:00
parent 52759764a1
commit 84ed180c1e
4 changed files with 239 additions and 252 deletions
--- a/sas/static/bundled/sas/viewer-index.ts
+++ b/sas/static/bundled/sas/viewer-index.ts
@@ -109,15 +109,14 @@ interface ViewerConfig {
  /** id of the first picture to load on the page */
  firstPictureId: number;
  /** if the user is sas admin */
-  userIsSasAdmin: boolean;
+  userCanModerate: boolean;
 }

 /**
 * Load user picture page with a nice download bar
 **/
-exportToHtml("loadViewer", (config: ViewerConfig) => {
-  document.addEventListener("alpine:init", () => {
-    Alpine.data("picture_viewer", () => ({
+document.addEventListener("alpine:init", () => {
+  Alpine.data("picture_viewer", (config: ViewerConfig) => ({
    /**
     * All the pictures that can be displayed on this picture viewer
     **/
@@ -208,8 +207,7 @@ exportToHtml("loadViewer", (config: ViewerConfig) => {
        }
        this.pushstate = History.Replace;
        this.currentPicture = this.pictures.find(
-            (i: PictureSchema) =>
-              i.id === Number.parseInt(event.state.sasPictureId, 10),
+          (i: PictureSchema) => i.id === Number.parseInt(event.state.sasPictureId, 10),
        );
      });
      this.pushstate = History.Replace; /* Avoid first url push */
@@ -231,11 +229,7 @@ exportToHtml("loadViewer", (config: ViewerConfig) => {
        url: this.currentPicture.sas_url,
      };
      if (this.pushstate === History.Replace) {
-          window.history.replaceState(
-            updateArgs.data,
-            updateArgs.unused,
-            updateArgs.url,
-          );
+        window.history.replaceState(updateArgs.data, updateArgs.unused, updateArgs.url);
        this.pushstate = History.Push;
      } else {
        window.history.pushState(updateArgs.data, updateArgs.unused, updateArgs.url);
@@ -251,7 +245,7 @@ exportToHtml("loadViewer", (config: ViewerConfig) => {
        this.nextPicture?.preload();
        this.previousPicture?.preload();
      });
-        if (this.currentPicture.asked_for_removal && config.userIsSasAdmin) {
+      if (this.currentPicture.asked_for_removal && config.userCanModerate) {
        await Promise.all([
          this.currentPicture.loadIdentifications(),
          this.currentPicture.loadModeration(),
@@ -317,7 +311,7 @@ exportToHtml("loadViewer", (config: ViewerConfig) => {
     * Check if an identification can be removed by the currently logged user
     */
    canBeRemoved(identification: IdentifiedUserSchema): boolean {
-        return config.userIsSasAdmin || identification.user.id === config.userId;
+      return config.userCanModerate || identification.user.id === config.userId;
    },

    /**
@@ -336,5 +330,4 @@ exportToHtml("loadViewer", (config: ViewerConfig) => {
      }
    },
  }));
-  });
 });
--- a/sas/templates/sas/picture.jinja
+++ b/sas/templates/sas/picture.jinja
@@ -17,10 +17,8 @@

 {% from "sas/macros.jinja" import print_path %}

-{% set user_is_sas_admin = user.is_root or user.is_in_group(pk = settings.SITH_GROUP_SAS_ADMIN_ID) %}
-
 {% block content %}
-  <main x-data="picture_viewer">
+  <main x-data="picture_viewer(config)">
    <code>
      <a href="{{ url('sas:main') }}">SAS</a> / {{ print_path(album) }} <span x-text="currentPicture.name"></span>
    </code>
@@ -50,15 +48,13 @@
              It will be hidden to other users until it has been moderated.
            {% endtrans %}
          </p>
-          {% if user_is_sas_admin %}
+          {% if user.has_perm("sas.moderate_sasfile") %}
            <template x-if="currentPicture.asked_for_removal">
              <div>
                <h5>{% trans %}The following issues have been raised:{% endtrans %}</h5>
                <template x-for="req in (currentPicture.moderationRequests ?? [])" :key="req.id">
                  <div>
-                    <h6
-                      x-text="`${req.author.first_name} ${req.author.last_name}`"
-                    ></h6>
+                    <h6 x-text="`${req.author.first_name} ${req.author.last_name}`"></h6>
                    <i x-text="Intl.DateTimeFormat(
                               '{{ LANGUAGE_CODE }}',
                               {dateStyle: 'long', timeStyle: 'short'}
@@ -70,7 +66,7 @@
            </template>
          {% endif %}
        </div>
-        {% if user_is_sas_admin %}
+        {% if user.has_perm("sas.moderate_sasfile") %}
          <div class="alert-aside">
            <button class="btn btn-blue" @click="moderatePicture()">
              {% trans %}Moderate{% endtrans %}
@@ -204,16 +200,13 @@
 {% endblock %}

 {% block script %}
-  {{ super() }}
  <script>
-    window.addEventListener("DOMContentLoaded", () => {
-      loadViewer({
-        albumId: {{ album.id }} ,
+    const config = {
+      albumId: {{ album.id }},
      albumUrl: "{{ album.get_absolute_url() }}",
      firstPictureId: {{ picture.id }},  {# id of the first picture to show after page load #}
      userId: {{ user.id }},
-        userIsSasAdmin: {{ user_is_sas_admin|tojson }}
-      });
-    })
+      userCanModerate: {{ user.has_perm("sas.moderate_sasfile")|tojson }}
+    }
  </script>
 {% endblock %}
--- a/sas/tests/test_views.py
+++ b/sas/tests/test_views.py
@@ -161,16 +161,22 @@ class TestSasModeration(TestCase):
        assert len(res.context_data["pictures"]) == 1
        assert res.context_data["pictures"][0] == self.to_moderate

-        res = self.client.post(
-            reverse("sas:moderation"),
-            data={"album_id": self.to_moderate.id, "picture_id": self.to_moderate.id},
-        )
-
    def test_moderation_page_forbidden(self):
        self.client.force_login(self.simple_user)
        res = self.client.get(reverse("sas:moderation"))
        assert res.status_code == 403

+    def test_moderate_album(self):
+        self.client.force_login(self.moderator)
+        url = reverse("sas:moderation")
+        album = baker.make(
+            Album, is_moderated=False, parent_id=settings.SITH_SAS_ROOT_DIR_ID
+        )
+        res = self.client.post(url, data={"album_id": album.id, "moderate": ""})
+        assertRedirects(res, url)
+        album.refresh_from_db()
+        assert album.is_moderated
+
    def test_moderate_picture(self):
        self.client.force_login(self.moderator)
        res = self.client.get(
--- a/sas/views.py
+++ b/sas/views.py
@@ -15,10 +15,10 @@
 from typing import Any

 from django.conf import settings
-from django.core.exceptions import PermissionDenied
+from django.contrib.auth.mixins import PermissionRequiredMixin
 from django.db.models import Count, OuterRef, Subquery
 from django.http import Http404, HttpResponseRedirect
-from django.shortcuts import get_object_or_404
+from django.shortcuts import get_object_or_404, redirect
 from django.urls import reverse
 from django.utils.safestring import SafeString
 from django.views.generic import CreateView, DetailView, TemplateView
@@ -191,18 +191,13 @@ class UserPicturesView(UserTabsMixin, CanViewMixin, DetailView):
 # Admin views


-class ModerationView(TemplateView):
+class ModerationView(PermissionRequiredMixin, TemplateView):
    template_name = "sas/moderation.jinja"
-
-    def get(self, request, *args, **kwargs):
-        if request.user.is_in_group(pk=settings.SITH_GROUP_SAS_ADMIN_ID):
-            return super().get(request, *args, **kwargs)
-        raise PermissionDenied
+    permission_required = "sas.moderate_sasfile"

    def post(self, request, *args, **kwargs):
        if "album_id" not in request.POST:
            raise Http404
-        if request.user.is_in_group(pk=settings.SITH_GROUP_SAS_ADMIN_ID):
        album = get_object_or_404(Album, pk=request.POST["album_id"])
        if "moderate" in request.POST:
            album.moderator = request.user
@@ -210,7 +205,7 @@ class ModerationView(TemplateView):
            album.save()
        elif "delete" in request.POST:
            album.delete()
-        return super().get(request, *args, **kwargs)
+        return redirect(self.request.path)

    def get_context_data(self, **kwargs):
        kwargs = super().get_context_data(**kwargs)