is TODO_STAFF_ONLY used?

shacker / django-todo

A multi-user, multi-group todo/ticketing system for Django projects. Includes CSV import and integrated mail tracking.

http://django-todo.org

BSD 3-Clause "New" or "Revised" License

819 stars 285 forks source link

is TODO_STAFF_ONLY used? #47

Closed ezzra closed 5 years ago

ezzra commented 5 years ago

sorry for issue spamming, but just setting this up :)

I wonder if setting TODO_STAFF_ONLY = True does have any effect, I can still add tasks and lists with a non staff user, actually I cannot find any use of TODO_STAFF_ONLY in the code

shacker commented 5 years ago

Aha! This was working in todo v 1.x, but support for it was lost in the transition to v 2.x. Thinking about it more, it would be nice to be able to set access permissions for each of the 10 views, but it will require some careful thinking to do that in a way that doesn't require people to fork the codebase and do their own customization. But let's at least get it working again as it was in v 1.x.

Tests required.

shacker commented 5 years ago

This is fixed in 91b9a099a30274ce8bae6d705fcd0a5150159739. All views now check for the project-level TODO_STAFF_ONLY setting. If False or unset, all users can see all views (but some views still have internal checks to ensure that only staffers can add or delete lists, e.g.).

Adds tests to confirm.