To prevent access if the user is not authenticated

tma-ntphat commented 1 year ago

Fixed bug: check user permissions to prevent access if the user is not authenticated

Purpose

Fixed bug.

To prevent access if the user is not authenticated.
Only permitted if the superuser or administrator
On User detail screen, display menu on header and left-sidebar for authenticated user

Changes

~Add permission definition permission_required = 'osf.view_osfuser', and add PermissionRequiredMixin to the inherited class list of the following View classes.~ Use the UserPassesTestMixin, and RdmPermissionMixin classes to check the permission of the authenticated users whose is_super_admin == True or is_admin == True

UserEmailsFormView
UserEmailsSearchList
UserEmailsView
UserPrimaryEmail

QA Notes

No data migration

Documentation

Side Effects

Ticket

hide24 commented 1 year ago

User who is_staff == True and is_admin == False can not use this feature. I expect them to use this feature.

tma-ntphat commented 1 year ago

@hide24
I have checked it again.

The PermissionRequiredMixin class and permission_required attribute only work on the active superusers (self.is_active and self.is_superuser or is_super_admin == True)
The integrated administrator whose is_superuser == True and is_super_admin == True can use this feature because they have permissions.
The institutional administrator whose is_staff == True and is_admin == True can not use this feature because they have no permission.

I fixed it according to the following solution Use the UserPassesTestMixin, and RdmPermissionMixin classes to check the permission of the authenticated users whose is_super_admin == True or is_admin == True

Please help to check it. Thanks.

hide24 commented 1 year ago

Sorry and thank you. It's alright.

RCOSDP / RDM-osf.io