search

HyphaApp / hypha

Submission management software for open calls
https://www.hypha.app
BSD 3-Clause "New" or "Revised" License
68 stars 38 forks source link

Group project permissions in wagtail have no effect #4093

Open bickelj opened 4 weeks ago

bickelj commented 4 weeks ago

Describe the bug

I want to let the Reviewer group see Project Reports. By default, the group gets permission denied. When an Admin adds "View" for every "Project ..." in Wagtail Admin (e.g. /admin/groups/edit/3/), the member of Reviewer still gets permission denied on /apply/projects URLs.

To Reproduce

Steps to reproduce the behavior:

  1. Use Hypha v5.13.1,
  2. Restore the sandbox database,
  3. Run migrations,
  4. Log in as reviewer@example.com,
  5. Try to access /apply/projects,
  6. See permission denied.
  7. Log in as administrator,
  8. Go to Reviewer group settings (/admin/groups/edit/3/ in a fresh sandbox db),
  9. Check all "View" permissions for "Project ..." settings,
  10. Log in as reviewer@example.com,
  11. See that there is no "Projects" link available,
  12. Visit projects directly, /apply/projects/, see permission denied,
  13. Visit a visible Submission with a project link, /apply/submissions/5/,
  14. Click the individual project link there, /apply/projects/2/,
  15. See permission denied.

Expected behavior

The permissions in Wagtail to be effective.

Given a group, when I set "View" on any one Project-related permission for a group, then that group should gain access to Projects.

A less-desired alternative is to remove the appearance of being able to set those permissions. An OK alternative would be to let an administrator set the permissions outside of Wagtail admin somehow.

Priority

Affected roles

Desktop (please complete the following information):

Additional context

Some funders have no distinction (or less of a distinction) between a Submission and a Project. For example, the reviewers of a Submission may be the same folks who review the Project Reports. In this case it is useful to let them see the Projects and specifically reports. Fine-grained permissions presented in Wagtail look like they give the needed controls. For example, reviewers may need to see reports but not Project Form.

frjo commented 4 weeks ago

Wagtail admin permission on groups mainly affect what the users of that group can do in Wagtail admin.

If a users group has Add/Change/Delete checked on e.g. "Project report form" they can Add/Change/Delete report forms at "/admin/application_projects/projectreportform/".

It is rarely we use these settings in Hypha itself.

We have plans to improve permission handling overall in Hypha. We can talk about this in the next meeting.

bickelj commented 4 weeks ago

@frjo Do you have a rough outline of the improvement to permission handling you can share? Does the permission improvement seem like a heavy undertaking to you (e.g. months not days)?

frjo commented 4 weeks ago

It will be month but before the end of the year in my estimate. One move we already started implementing is concentrating permission code to permission.py files.

We will move from things like if request.user.is_apply_staff to user_can_*() calls that can be used in code as well as in templates.