Don't display the alias create form if the user can't create anyone

apps/member/templates/member/club_alias.html

@@ -9,15 +9,18 @@ SPDX-License-Identifier: GPL-3.0-or-later
     <h3 class="card-header text-center">
         {% trans "Note aliases" %}
     </h3>
+
     <div class="card-body">
-        <form class="input-group" method="POST" id="form_alias">
-            {% csrf_token %}
-            <input type="hidden" name="note" value="{{ object.note.pk }}">
-            <input type="text" name="name" class="form-control">
-            <div class="input-group-append">
-                <input type="submit" class="btn btn-success" value="{% trans "Add" %}">
-            </div>
-        </form>
+        {% if can_create %}
+            <form class="input-group" method="POST" id="form_alias">
+                {% csrf_token %}
+                <input type="hidden" name="note" value="{{ object.note.pk }}">
+                <input type="text" name="name" class="form-control">
+                <div class="input-group-append">
+                    <input type="submit" class="btn btn-success" value="{% trans "Add" %}">
+                </div>
+            </form>
+        {% endif %}
     </div>
     {% render_table aliases %}
 </div>

apps/member/templates/member/profile_alias.html

@@ -10,14 +10,16 @@ SPDX-License-Identifier: GPL-3.0-or-later
         {% trans "Note aliases" %}
     </h3>
     <div class="card-body">
-        <form class="input-group" method="POST" id="form_alias">
-            {% csrf_token %}
-            <input type="hidden" name="note" value="{{ object.note.pk }}">
-            <input type="text" name="name" class="form-control">
-            <div class="input-group-append">
-                <input type="submit" class="btn btn-success" value="{% trans "Add" %}">
-            </div>
-        </form>
+        {% if can_create %}
+            <form class="input-group" method="POST" id="form_alias">
+                {% csrf_token %}
+                <input type="hidden" name="note" value="{{ object.note.pk }}">
+                <input type="text" name="name" class="form-control">
+                <div class="input-group-append">
+                    <input type="submit" class="btn btn-success" value="{% trans "Add" %}">
+                </div>
+            </form>
+        {% endif %}
     </div>
     {% render_table aliases %}
 </div>

apps/member/views.py

@@ -218,7 +218,13 @@ class ProfileAliasView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
     def get_context_data(self, **kwargs):
         context = super().get_context_data(**kwargs)
         note = context['object'].note
-        context["aliases"] = AliasTable(note.alias_set.all())
+        context["aliases"] = AliasTable(note.alias_set.filter(PermissionBackend
+                                                              .filter_queryset(self.request.user, Alias, "view")).all())
+        context["can_create"] = PermissionBackend.check_perm(self.request.user, "note.add_alias", Alias(
+            note=context["object"].note,
+            name="",
+            normalized_name="",
+        ))
         return context
 
 
@@ -422,7 +428,13 @@ class ClubAliasView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
     def get_context_data(self, **kwargs):
         context = super().get_context_data(**kwargs)
         note = context['object'].note
-        context["aliases"] = AliasTable(note.alias_set.all())
+        context["aliases"] = AliasTable(note.alias_set.filter(PermissionBackend
+                                                              .filter_queryset(self.request.user, Alias, "view")).all())
+        context["can_create"] = PermissionBackend.check_perm(self.request.user, "note.add_alias", Alias(
+            note=context["object"].note,
+            name="",
+            normalized_name="",
+        ))
         return context
 
 

apps/note/tables.py

@@ -97,7 +97,7 @@ class HistoryTable(tables.Table):
         """
         When the validation status is hovered, an input field is displayed to let the user specify an invalidity reason
         """
-        has_perm = PermissionBackend\
+        has_perm = PermissionBackend \
             .check_perm(get_current_authenticated_user(), "note.change_transaction_invalidity_reason", record)
 
         val = "✔" if value else "✖"
@@ -135,8 +135,16 @@ class AliasTable(tables.Table):
 
     delete_col = tables.TemplateColumn(template_code=DELETE_TEMPLATE,
                                        extra_context={"delete_trans": _('delete')},
-                                       attrs={'td': {'class': 'col-sm-1'}},
-                                       verbose_name=_("Delete"),)
+                                       attrs=
+                                       {'td':
+                                            {'class':
+                                                 lambda record: 'col-sm-1'
+                                                                + (' d-none' if not PermissionBackend
+                                                                   .check_perm(get_current_authenticated_user(),
+                                                                               "note.delete_alias", record) else '')
+                                             }
+                                        },
+                                       verbose_name=_("Delete"), )
 
 
 class ButtonTable(tables.Table):
@@ -170,7 +178,7 @@ class ButtonTable(tables.Table):
     delete_col = tables.TemplateColumn(template_code=DELETE_TEMPLATE,
                                        extra_context={"delete_trans": _('delete')},
                                        attrs={'td': {'class': 'col-sm-1'}},
-                                       verbose_name=_("Delete"),)
+                                       verbose_name=_("Delete"), )
 
     def render_amount(self, value):
         return pretty_money(value)