Fix permissions to add deliverables

832d3e16 · Shrikrishna Singh · 8089846e · 832d3e16 · 832d3e16 · 832d3e16
Commit 832d3e16 authored 3 years ago by Shrikrishna Singh
--- a/hypha/apply/api/v1/permissions.py
+++ b/hypha/apply/api/v1/permissions.py
@@ -20,7 +20,19 @@ class IsApplyStaffUser(permissions.BasePermission):

 class IsFinance1User(permissions.BasePermission):
    def has_permission(self, request, view):
-        return request.user.is_finance_level_1
+        invoice = view.get_invoice_object()
+        return request.user.is_finance_level_1 and invoice.can_user_edit_deliverables(request.user)

    def has_object_permission(self, request, view, obj):
-        return request.user.is_finance_level_1
+        invoice = view.get_invoice_object()
+        return request.user.is_finance_level_1 and invoice.can_user_edit_deliverables(request.user)
+
+
+class IsFinance2User(permissions.BasePermission):
+    def has_permission(self, request, view):
+        invoice = view.get_invoice_object()
+        return request.user.is_finance_level_2 and invoice.can_user_edit_deliverables(request.user)
+
+    def has_object_permission(self, request, view, obj):
+        invoice = view.get_invoice_object()
+        return request.user.is_finance_level_2 and invoice.can_user_edit_deliverables(request.user)
--- a/hypha/apply/api/v1/projects/views.py
+++ b/hypha/apply/api/v1/projects/views.py
@@ -9,7 +9,7 @@ from hypha.apply.projects.models.payment import Invoice, InvoiceDeliverable
 from hypha.apply.projects.models.project import Deliverable

 from ..mixin import InvoiceNestedMixin, ProjectNestedMixin
-from ..permissions import IsApplyStaffUser, IsFinance1User
+from ..permissions import IsApplyStaffUser, IsFinance1User, IsFinance2User
 from .serializers import (
    DeliverableSerializer,
    InvoiceDeliverableListSerializer,
@@ -25,7 +25,7 @@ class DeliverableViewSet(
    viewsets.GenericViewSet
 ):
    permission_classes = (
-        permissions.IsAuthenticated, IsApplyStaffUser | IsFinance1User,
+        permissions.IsAuthenticated, IsApplyStaffUser | IsFinance1User | IsFinance2User
    )
    serializer_class = InvoiceDeliverableListSerializer
    pagination_class = None

--- a/hypha/apply/projects/models/payment.py
+++ b/hypha/apply/projects/models/payment.py
@@ -231,6 +231,20 @@ class Invoice(models.Model):
            return True
        return False

+    def can_user_edit_deliverables(self, user):
+        if not (user.is_apply_staff or user.is_finance_level_1 or user.is_finance_level_2):
+            return False
+        if user.is_apply_staff:
+            if self.status in {SUBMITTED, RESUBMITTED, CHANGES_REQUESTED_BY_FINANCE_1}:
+                return True
+        if user.is_finance_level_1:
+            if self.status in {APPROVED_BY_STAFF, CHANGES_REQUESTED_BY_FINANCE_2}:
+                return True
+        if user.is_finance_level_2:
+            if self.status in {APPROVED_BY_FINANCE_1}:
+                return True
+        return False
+
    @property
    def value(self):
        return self.paid_value or self.amount

--- a/hypha/apply/projects/templates/application_projects/includes/deliverables_block.html
+++ b/hypha/apply/projects/templates/application_projects/includes/deliverables_block.html
-{% load i18n %}
+{% load i18n invoice_tools %}
 <div class="sidebar__inner">
+    {% can_edit_deliverables invoice user as user_can_edit_deliverables %}
    <h5>{% trans "Choose deliverables" %}</h5>
    <form id="add-deliverables", action="" data-projectid="{{ project.id }}" data-invoiceid="{{ invoice.id }}">
        <div class="select-deliverables">
@@ -11,22 +12,25 @@
            </select>
        </div>
        <br>
-        <div class="available-to-invoice">
-            <b>{% trans "Available to invoice:" %} </b>
-        </div>
-        <br>
+        {% if user_can_edit_deliverables %}
+            <div class="available-to-invoice">
+                <b>{% trans "Available to invoice:" %} </b>
+            </div>
+            <br>
+        {% endif %}
+
        <div class="quantity">
            <b><label for="quantity">{% trans "Quantity:" %}</label></b>
            <input type="number" id="quantity" name="quantity" min="1">
        </div>
        <br>
-        <input type="submit" value="Add Deliverable">
+        <input type="submit" value="Add Deliverable" {% if not user_can_edit_deliverables %}disabled{% endif %}>
    </form>
    <br>
    <div id="list-deliverables">
        <div class="deliverables">
            {% for deliverable in invoice.deliverables.all %}
-                <b>{{ deliverable.deliverable.name }} ({{ deliverable.quantity }} {{ CURRENCY_SYMBOL }}{{deliverable.deliverable.unit_price}})</b><a href="{% url "api:v1:remove-deliverables" pk=deliverable.pk invoice_pk=invoice.pk project_pk=project.pk %}"> {% trans "Remove" %}</a>
+                <b>{{ deliverable.deliverable.name }} ({{ deliverable.quantity }} {{ CURRENCY_SYMBOL }}{{deliverable.deliverable.unit_price}})</b>{% if user_can_edit_deliverables %}<a href="{% url "api:v1:remove-deliverables" pk=deliverable.pk invoice_pk=invoice.pk project_pk=project.pk %}"> {% trans "Remove" %}</a>{% endif %}<br>
            {% endfor %}
        </div>
        {% if invoice.deliverables_total_amount.total %}

--- a/hypha/apply/projects/templatetags/invoice_tools.py
+++ b/hypha/apply/projects/templatetags/invoice_tools.py
@@ -44,3 +44,8 @@ def can_complete_required_checks(invoice, user):
 @register.simple_tag
 def can_view_required_checks(invoice, user):
    return invoice.can_user_view_required_checks(user)
+
+
+@register.simple_tag
+def can_edit_deliverables(invoice, user):
+    return invoice.can_user_edit_deliverables(user)