Open bickelj opened 4 weeks ago
Wagtail admin permission on groups mainly affect what the users of that group can do in Wagtail admin.
If a users group has Add/Change/Delete checked on e.g. "Project report form" they can Add/Change/Delete report forms at "/admin/application_projects/projectreportform/".
It is rarely we use these settings in Hypha itself.
We have plans to improve permission handling overall in Hypha. We can talk about this in the next meeting.
@frjo Do you have a rough outline of the improvement to permission handling you can share? Does the permission improvement seem like a heavy undertaking to you (e.g. months not days)?
It will be month but before the end of the year in my estimate. One move we already started implementing is concentrating permission code to permission.py
files.
We will move from things like if request.user.is_apply_staff
to user_can_*()
calls that can be used in code as well as in templates.
Describe the bug
I want to let the Reviewer group see Project Reports. By default, the group gets permission denied. When an Admin adds "View" for every "Project ..." in Wagtail Admin (e.g.
/admin/groups/edit/3/
), the member of Reviewer still gets permission denied on/apply/projects
URLs.To Reproduce
Steps to reproduce the behavior:
/apply/projects
,/admin/groups/edit/3/
in a fresh sandbox db),/apply/projects/
, see permission denied,/apply/submissions/5/
,/apply/projects/2/
,Expected behavior
The permissions in Wagtail to be effective.
Given a group, when I set "View" on any one Project-related permission for a group, then that group should gain access to Projects.
A less-desired alternative is to remove the appearance of being able to set those permissions. An OK alternative would be to let an administrator set the permissions outside of Wagtail admin somehow.
Priority
Affected roles
Desktop (please complete the following information):
Additional context
Some funders have no distinction (or less of a distinction) between a Submission and a Project. For example, the reviewers of a Submission may be the same folks who review the Project Reports. In this case it is useful to let them see the Projects and specifically reports. Fine-grained permissions presented in Wagtail look like they give the needed controls. For example, reviewers may need to see reports but not Project Form.