Sporz permissions

sporz/admin.py

@@ -3,6 +3,8 @@
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from django.contrib import admin
+from django.contrib.auth import get_user_model
+from django.db.models import Q
 
 from med.admin import admin_site
 from .models import GameSave, Player
@@ -16,6 +18,7 @@ class GameSaveAdmin(admin.ModelAdmin):
     inlines = [PlayerInline, ]
     list_display = ('__str__', 'game_master', 'game_has_ended')
     date_hierarchy = 'created_at'
+    autocomplete_fields = ('game_master',)
 
     def has_change_permission(self, request, obj=None):
         """
@@ -43,5 +46,27 @@ class GameSaveAdmin(admin.ModelAdmin):
         request.GET = data
         return super().add_view(request, form_url, extra_context)
 
+    def formfield_for_foreignkey(self, db_field, request, **kwargs):
+        """
+        Authorize game master change only if user can see all users
+        """
+        if db_field.name == 'game_master':
+            if not request.user.has_perm('users.view_user'):
+                kwargs['queryset'] = get_user_model().objects.filter(
+                    username=request.user.username)
+        return super().formfield_for_foreignkey(db_field, request, **kwargs)
+
+    def get_queryset(self, request):
+        """
+        List all game save only if user has view permission
+        else, list only own games and ended games
+        """
+        queryset = super().get_queryset(request)
+        if request.user.has_perm('sporz.view_gamesave'):
+            return queryset
+        return queryset.filter(
+            Q(game_master=request.user) | Q(game_has_ended=True)
+        )
+
 
 admin_site.register(GameSave, GameSaveAdmin)