From 462c87487b3e5426e4dc10ffcae439f8cbb67eb0 Mon Sep 17 00:00:00 2001
From: Fredrik Jonsson <frjo@xdeb.org>
Date: Wed, 11 May 2022 15:02:40 +0200
Subject: [PATCH] Implement setting GIVE_STAFF_LEAD_PERMS so staff can be given
 permission to set external reviewers.

---
 hypha/apply/funds/forms.py | 14 +++++++++++---
 hypha/settings/base.py     |  5 +++++
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/hypha/apply/funds/forms.py b/hypha/apply/funds/forms.py
index 1259a1762..4ed149714 100644
--- a/hypha/apply/funds/forms.py
+++ b/hypha/apply/funds/forms.py
@@ -5,6 +5,7 @@ from operator import methodcaller
 
 import bleach
 from django import forms
+from django.conf import settings
 from django.utils.safestring import mark_safe
 from django.utils.text import slugify
 from django.utils.translation import gettext_lazy as _
@@ -251,7 +252,12 @@ class UpdateReviewersForm(ApplicationSubmissionModelForm):
         field.initial = initial
 
     def can_alter_external_reviewers(self, instance, user):
-        return instance.stage.has_external_review and (user == instance.lead or user.is_superuser)
+        if instance.stage.has_external_review:
+            if settings.GIVE_STAFF_LEAD_PERMS:
+                return user.is_apply_staff or user.is_superuser
+            else:
+                return user == instance.lead or user.is_superuser
+        return False
 
     def clean(self):
         cleaned_data = super().clean()
@@ -375,8 +381,10 @@ class BatchUpdateReviewersForm(forms.Form):
 
     def user_cant_alter_submissions_external_reviewers(self, submissions, user):
         for submission in submissions:
-            if user != submission.lead and not user.is_superuser:
-                return True
+            if settings.GIVE_STAFF_LEAD_PERMS:
+                return user != submission.lead and not user.is_superuser
+            else:
+                return not user.is_apply_staff and not user.is_superuser
         return False
 
     def save(self):
diff --git a/hypha/settings/base.py b/hypha/settings/base.py
index 845ef28b7..3c12ef1e8 100644
--- a/hypha/settings/base.py
+++ b/hypha/settings/base.py
@@ -365,6 +365,11 @@ WAGTAILUSERS_PASSWORD_REQUIRED = False
 # Enforce Two factor setting
 ENFORCE_TWO_FACTOR = env.bool('ENFORCE_TWO_FACTOR', False)
 
+# Give staff lead permissions.
+# Only effects setting external reviewers for now.
+GIVE_STAFF_LEAD_PERMS = env.bool('GIVE_STAFF_LEAD_PERMS', False)
+
+
 LOGIN_URL = 'users_public:login'
 LOGIN_REDIRECT_URL = 'dashboard:dashboard'
 
-- 
GitLab