Merge remote-tracking branch 'origin/fix/gh-4275-project-document-per…

…mission' into test
HyphaApp · Dec 18, 2024 · 0ed272b · 0ed272b
2 parents b37f0a2 + f82267b
commit 0ed272b
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 3 deletions.
diff --git a/hypha/apply/projects/permissions.py b/hypha/apply/projects/permissions.py
@@ -1,8 +1,10 @@
 from django.conf import settings
 from django.core.exceptions import PermissionDenied
+from rolepermissions.permissions import register_object_checker
 
 from hypha.apply.activity.adapters.utils import get_users_for_groups
 from hypha.apply.users.models import User
+from hypha.apply.users.roles import Staff
 
 from .models.project import (
     CLOSING,
@@ -401,6 +403,13 @@ def can_edit_paf(user, project):
     return False, "You are not allowed to edit the project at this time"
 
 
+@register_object_checker()
+def upload_project_documents(role, user, project) -> bool:
+    if role == Staff:
+        return True
+    return False
+
+
 permissions_map = {
     "contract_approve": can_approve_contract,
     "contract_upload": can_upload_contract,

diff --git a/hypha/apply/projects/templates/application_projects/partials/supporting_documents.html b/hypha/apply/projects/templates/application_projects/partials/supporting_documents.html
@@ -1,4 +1,5 @@
 {% load i18n approval_tools project_tags heroicons %}
+{% load can from permission_tags %}
 
 <li class="docs-block__row">
     <div class="docs-block__row-inner">
@@ -36,7 +37,8 @@
                                 <p class="docs-block__document-info"><b>{{ latest_file.title }}</b> - {{ latest_file.created_at }}</p>
                             {% endif %}
                         </div>
-                        {% if document_category in remaining_document_categories %}
+                        {% can "upload_project_documents" object as can_upload_documents %}
+                        {% if document_category in remaining_document_categories and can_upload_documents %}
                             <div class="docs-block__document-inner__actions">
                                 <a class="font-bold flex items-center me-0 hover:opacity-70 transition-opacity"
                                    href="{% url 'apply:projects:supporting_doc_upload' object.id document_category.id %}"

diff --git a/hypha/apply/projects/views/project.py b/hypha/apply/projects/views/project.py
@@ -34,6 +34,7 @@
 from django_tables2 import SingleTableMixin
 from docx import Document
 from htmldocx import HtmlToDocx
+from rolepermissions.checkers import has_object_permission
 
 from hypha.apply.activity.adapters.utils import get_users_for_groups
 from hypha.apply.activity.messaging import MESSAGES, messenger
@@ -277,7 +278,6 @@ def post(self, *args, **kwargs):
 
 
 # PROJECT DOCUMENTS
-@method_decorator(staff_required, name="dispatch")
 class UploadDocumentView(CreateView):
     form_class = UploadDocumentForm
     model = Project
@@ -288,7 +288,11 @@ def dispatch(self, request, *args, **kwargs):
         self.category = get_object_or_404(
             DocumentCategory, id=kwargs.get("category_pk")
         )
-        # permission check
+        permission = has_object_permission(
+            "upload_project_documents", request.user, obj=self.project
+        )
+        if not permission:
+            raise PermissionDenied()
         return super().dispatch(request, *args, **kwargs)
 
     def get(self, *args, **kwargs):