diff --git a/hypha/apply/funds/forms.py b/hypha/apply/funds/forms.py
index 1259a1762d3cade41651e46c8672ba909a27779d..4ed149714b6aa11d1cc99603b55afaa82d807f17 100644
--- a/hypha/apply/funds/forms.py
+++ b/hypha/apply/funds/forms.py
@@ -5,6 +5,7 @@ from operator import methodcaller
import bleach
from django import forms
+from django.conf import settings
from django.utils.safestring import mark_safe
from django.utils.text import slugify
from django.utils.translation import gettext_lazy as _
@@ -251,7 +252,12 @@ class UpdateReviewersForm(ApplicationSubmissionModelForm):
field.initial = initial
def can_alter_external_reviewers(self, instance, user):
- return instance.stage.has_external_review and (user == instance.lead or user.is_superuser)
+ if instance.stage.has_external_review:
+ if settings.GIVE_STAFF_LEAD_PERMS:
+ return user.is_apply_staff or user.is_superuser
+ else:
+ return user == instance.lead or user.is_superuser
+ return False
def clean(self):
cleaned_data = super().clean()
@@ -375,8 +381,10 @@ class BatchUpdateReviewersForm(forms.Form):
def user_cant_alter_submissions_external_reviewers(self, submissions, user):
for submission in submissions:
- if user != submission.lead and not user.is_superuser:
- return True
+ if settings.GIVE_STAFF_LEAD_PERMS:
+ return user != submission.lead and not user.is_superuser
+ else:
+ return not user.is_apply_staff and not user.is_superuser
return False
def save(self):
diff --git a/hypha/settings/base.py b/hypha/settings/base.py
index 845ef28b72e2c0ee0a2f5b115ce16612e3a3ea7b..3c12ef1e8d4c88d3069df6f3e852ca1ac46deb17 100644
--- a/hypha/settings/base.py
+++ b/hypha/settings/base.py
@@ -365,6 +365,11 @@ WAGTAILUSERS_PASSWORD_REQUIRED = False
# Enforce Two factor setting
ENFORCE_TWO_FACTOR = env.bool('ENFORCE_TWO_FACTOR', False)
+# Give staff lead permissions.
+# Only effects setting external reviewers for now.
+GIVE_STAFF_LEAD_PERMS = env.bool('GIVE_STAFF_LEAD_PERMS', False)
+
+
LOGIN_URL = 'users_public:login'
LOGIN_REDIRECT_URL = 'dashboard:dashboard'