From a83ab4bf857a3df94e87680428169abf7a8840d2 Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <yohann.danello@gmail.com>
Date: Sun, 26 Apr 2020 01:20:46 +0200
Subject: [PATCH] Add a public rights page to view which permissions are
 granted to which role, update Font Awesome to 5.13

---
 apps/permission/models.py            |  5 +--
 apps/permission/urls.py              | 10 ++++++
 apps/permission/views.py             | 28 ++++++++++++++-
 locale/de/LC_MESSAGES/django.po      | 34 +++++++++++++++---
 locale/fr/LC_MESSAGES/django.po      | 34 +++++++++++++++---
 note_kfet/urls.py                    |  3 +-
 templates/base.html                  | 38 ++++++++++++--------
 templates/permission/all_rights.html | 52 ++++++++++++++++++++++++++++
 8 files changed, 175 insertions(+), 29 deletions(-)
 create mode 100644 apps/permission/urls.py
 create mode 100644 templates/permission/all_rights.html

diff --git a/apps/permission/models.py b/apps/permission/models.py
index 949e036a..fe18c226 100644
--- a/apps/permission/models.py
+++ b/apps/permission/models.py
@@ -305,14 +305,15 @@ class RolePermissions(models.Model):
     """
     Permissions associated with a Role
     """
-    role = models.ForeignKey(
+    role = models.OneToOneField(
         Role,
         on_delete=models.PROTECT,
-        related_name='+',
+        related_name='permissions',
         verbose_name=_('role'),
     )
     permissions = models.ManyToManyField(
         Permission,
+        verbose_name=_("permissions"),
     )
 
     def __str__(self):
diff --git a/apps/permission/urls.py b/apps/permission/urls.py
new file mode 100644
index 00000000..c571c520
--- /dev/null
+++ b/apps/permission/urls.py
@@ -0,0 +1,10 @@
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from django.urls import path
+from permission.views import RightsView
+
+app_name = 'permission'
+urlpatterns = [
+    path('rights', RightsView.as_view(), name="rights"),
+]
diff --git a/apps/permission/views.py b/apps/permission/views.py
index 2e41810d..cbd26a19 100644
--- a/apps/permission/views.py
+++ b/apps/permission/views.py
@@ -1,14 +1,18 @@
 # Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
+from datetime import date
 
 from django.forms import HiddenInput
-from django.views.generic import UpdateView
+from django.utils.translation import gettext_lazy as _
+from django.views.generic import UpdateView, TemplateView
+from member.models import Role, Membership
 
 from .backends import PermissionBackend
 
 
 class ProtectQuerysetMixin:
     """
+    This is a View class decorator and not a proper View class.
     Ensure that the user has the right to see or update objects.
     Display 404 error if the user can't see an object, remove the fields the user can't
     update on an update form (useful if the user can't change only specified fields).
@@ -32,3 +36,25 @@ class ProtectQuerysetMixin:
                 form.fields[key].widget = HiddenInput()
 
         return form
+
+
+class RightsView(TemplateView):
+    template_name = "permission/all_rights.html"
+
+    def get_context_data(self, **kwargs):
+        context = super().get_context_data(**kwargs)
+
+        context["title"] = _("All rights")
+        roles = Role.objects.all()
+        context["roles"] = roles
+        if self.request.user.is_authenticated:
+            active_memberships = Membership.objects.filter(user=self.request.user,
+                                                           date_start__lte=date.today(),
+                                                           date_end__gte=date.today()).all()
+        else:
+            active_memberships = Membership.objects.none()
+
+        for role in roles:
+            role.clubs = [membership.club for membership in active_memberships if role in membership.roles.all()]
+
+        return context
diff --git a/locale/de/LC_MESSAGES/django.po b/locale/de/LC_MESSAGES/django.po
index 4a42dca7..408123ff 100644
--- a/locale/de/LC_MESSAGES/django.po
+++ b/locale/de/LC_MESSAGES/django.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2020-04-25 19:12+0200\n"
+"POT-Creation-Date: 2020-04-26 00:45+0200\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -856,7 +856,7 @@ msgstr ""
 msgid "permission"
 msgstr ""
 
-#: apps/permission/models.py:182
+#: apps/permission/models.py:182 apps/permission/models.py:316
 msgid "permissions"
 msgstr ""
 
@@ -864,7 +864,7 @@ msgstr ""
 msgid "Specifying field applies only to view and change permission types."
 msgstr ""
 
-#: apps/permission/models.py:322 apps/permission/models.py:323
+#: apps/permission/models.py:323 apps/permission/models.py:324
 msgid "role permissions"
 msgstr ""
 
@@ -882,13 +882,17 @@ msgid ""
 "{model_name}."
 msgstr ""
 
-#: apps/permission/signals.py:100
+#: apps/permission/signals.py:99
 #, python-brace-format
 msgid ""
 "You don't have the permission to delete this instance of model {app_label}."
 "{model_name}."
 msgstr ""
 
+#: apps/permission/views.py:47
+msgid "All rights"
+msgstr ""
+
 #: apps/registration/apps.py:10
 msgid "registration"
 msgstr ""
@@ -1517,7 +1521,11 @@ msgstr ""
 msgid "Registrations"
 msgstr ""
 
-#: templates/base.html:155
+#: templates/base.html:120
+msgid "Rights"
+msgstr ""
+
+#: templates/base.html:158
 msgid ""
 "Your e-mail address is not validated. Please check your mail inbox and click "
 "on the validation link."
@@ -1729,6 +1737,22 @@ msgstr ""
 msgid "Unable to delete button "
 msgstr ""
 
+#: templates/permission/all_rights.html:10
+msgid "Filter with roles that I have in at least one club"
+msgstr ""
+
+#: templates/permission/all_rights.html:21
+msgid "Own this role in the clubs"
+msgstr ""
+
+#: templates/permission/all_rights.html:26
+msgid "Query:"
+msgstr ""
+
+#: templates/permission/all_rights.html:28
+msgid "No associated permission"
+msgstr ""
+
 #: templates/registration/email_validation_complete.html:6
 msgid "Your email have successfully been validated."
 msgstr ""
diff --git a/locale/fr/LC_MESSAGES/django.po b/locale/fr/LC_MESSAGES/django.po
index 339a3ab2..65c41e93 100644
--- a/locale/fr/LC_MESSAGES/django.po
+++ b/locale/fr/LC_MESSAGES/django.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2020-04-25 19:12+0200\n"
+"POT-Creation-Date: 2020-04-26 00:45+0200\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -864,7 +864,7 @@ msgstr "champ"
 msgid "permission"
 msgstr "permission"
 
-#: apps/permission/models.py:182
+#: apps/permission/models.py:182 apps/permission/models.py:316
 msgid "permissions"
 msgstr "permissions"
 
@@ -874,7 +874,7 @@ msgstr ""
 "Spécifie le champ concerné, ne fonctionne que pour les permissions view et "
 "change."
 
-#: apps/permission/models.py:322 apps/permission/models.py:323
+#: apps/permission/models.py:323 apps/permission/models.py:324
 msgid "role permissions"
 msgstr "Permissions par rôles"
 
@@ -896,7 +896,7 @@ msgstr ""
 "Vous n'avez pas la permission d'ajouter cette instance du modèle {app_label}."
 "{model_name}."
 
-#: apps/permission/signals.py:100
+#: apps/permission/signals.py:99
 #, python-brace-format
 msgid ""
 "You don't have the permission to delete this instance of model {app_label}."
@@ -905,6 +905,10 @@ msgstr ""
 "Vous n'avez pas la permission de supprimer cette instance du modèle "
 "{app_label}.{model_name}."
 
+#: apps/permission/views.py:47
+msgid "All rights"
+msgstr "Tous les droits"
+
 #: apps/registration/apps.py:10
 msgid "registration"
 msgstr "inscription"
@@ -1566,7 +1570,11 @@ msgstr "Clubs"
 msgid "Registrations"
 msgstr "Inscriptions"
 
-#: templates/base.html:155
+#: templates/base.html:120
+msgid "Rights"
+msgstr "Droits"
+
+#: templates/base.html:158
 msgid ""
 "Your e-mail address is not validated. Please check your mail inbox and click "
 "on the validation link."
@@ -1783,6 +1791,22 @@ msgstr "Le bouton a bien été supprimé"
 msgid "Unable to delete button "
 msgstr "Impossible de supprimer le bouton "
 
+#: templates/permission/all_rights.html:10
+msgid "Filter with roles that I have in at least one club"
+msgstr "Filtrer les rôles que je possède dans au moins un club"
+
+#: templates/permission/all_rights.html:21
+msgid "Own this role in the clubs"
+msgstr "Possède ce rôle dans les clubs"
+
+#: templates/permission/all_rights.html:26
+msgid "Query:"
+msgstr "Requête :"
+
+#: templates/permission/all_rights.html:28
+msgid "No associated permission"
+msgstr "Pas de permission associée"
+
 #: templates/registration/email_validation_complete.html:6
 msgid "Your email have successfully been validated."
 msgstr "Votre adresse e-mail a bien été validée."
diff --git a/note_kfet/urls.py b/note_kfet/urls.py
index 2cd7d6c6..9717087a 100644
--- a/note_kfet/urls.py
+++ b/note_kfet/urls.py
@@ -25,10 +25,11 @@ urlpatterns = [
     # Include Django Contrib and Core routers
     path('i18n/', include('django.conf.urls.i18n')),
     path('admin/doc/', include('django.contrib.admindocs.urls')),
-    path('admin/', admin.site.urls),
+    path('admin/', admin.site.urls, name="admin"),
     path('accounts/login/', CustomLoginView.as_view()),
     path('accounts/', include('django.contrib.auth.urls')),
     path('api/', include('api.urls')),
+    path('permission/', include('permission.urls')),
 ]
 
 urlpatterns += static(settings.MEDIA_URL, document_root=settings.MEDIA_ROOT)
diff --git a/templates/base.html b/templates/base.html
index 56abd22f..2a1519f4 100644
--- a/templates/base.html
+++ b/templates/base.html
@@ -31,8 +31,8 @@ SPDX-License-Identifier: GPL-3.0-or-later
           href="https://stackpath.bootstrapcdn.com/bootstrap/4.4.1/css/bootstrap.min.css"
           integrity="sha384-Vkoo8x4CGsO3+Hhxv8T/Q5PaXtkKtu6ug5TOeNV6gBiFeWPGFN9MuhOf23Q9Ifjh"
           crossorigin="anonymous">
-    <link rel="stylesheet"
-          href="https://maxcdn.bootstrapcdn.com/font-awesome/4.5.0/css/font-awesome.min.css">
+    <link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.13.0/css/all.css">
+    <link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.13.0/css/v4-shims.css">
 
     {# JQuery, Bootstrap and Turbolinks JavaScript #}
     <script src="https://code.jquery.com/jquery-3.4.1.min.js"
@@ -76,44 +76,52 @@ SPDX-License-Identifier: GPL-3.0-or-later
             <ul class="navbar-nav">
                 {% if "note.transactiontemplate"|not_empty_model_list %}
                     <li class="nav-item active">
-                        <a class="nav-link" href="{% url 'note:consos' %}"><i class="fa fa-coffee"></i> {% trans 'Consumptions' %}</a>
+                        <a class="nav-link" href="{% url 'note:consos' %}"><i class="fas fa-coffee"></i> {% trans 'Consumptions' %}</a>
                     </li>
                 {% endif %}
                 {% if "note.transaction"|not_empty_model_list %}
                     <li class="nav-item active">
-                        <a class="nav-link" href="{% url 'note:transfer' %}"><i class="fa fa-exchange"></i>{% trans 'Transfer' %} </a>
+                        <a class="nav-link" href="{% url 'note:transfer' %}"><i class="fas fa-exchange-alt"></i>{% trans 'Transfer' %} </a>
                     </li>
                 {% endif %}
                 {% if "auth.user"|model_list|length >= 2 %}
                     <li class="nav-item active">
-                        <a class="nav-link" href="{% url 'member:user_list' %}"><i class="fa fa-user"></i> {% trans 'Users' %}</a>
+                        <a class="nav-link" href="{% url 'member:user_list' %}"><i class="fas fa-user"></i> {% trans 'Users' %}</a>
                     </li>
                 {% endif %}
                 {% if "member.club"|not_empty_model_list %}
                     <li class="nav-item active">
-                        <a class="nav-link" href="{% url 'member:club_list' %}"><i class="fa fa-users"></i> {% trans 'Clubs' %}</a>
+                        <a class="nav-link" href="{% url 'member:club_list' %}"><i class="fas fa-users"></i> {% trans 'Clubs' %}</a>
                     </li>
                 {% endif %}
                 {% if "member.change_profile_registration_valid"|has_perm:user %}
                     <li class="nav-item active">
                         <a class="nav-link" href="{% url 'registration:future_user_list' %}">
-                            <i class="fa fa-user-plus"></i> {% trans "Registrations" %}
+                            <i class="fas fa-user-plus"></i> {% trans "Registrations" %}
                         </a>
                     </li>
                 {% endif %}
                 {% if "activity.activity"|not_empty_model_list %}
                     <li class="nav-item active">
-                        <a class="nav-link" href="{% url 'activity:activity_list' %}"><i class="fa fa-calendar"></i> {% trans 'Activities' %}</a>
+                        <a class="nav-link" href="{% url 'activity:activity_list' %}"><i class="fas fa-calendar"></i> {% trans 'Activities' %}</a>
                     </li>
                 {% endif %}
                 {% if "treasury.invoice"|not_empty_model_list %}
                     <li class="nav-item active">
-                        <a class="nav-link" href="{% url 'treasury:invoice_list' %}"><i class="fa fa-money"></i> {% trans 'Treasury' %}</a>
+                        <a class="nav-link" href="{% url 'treasury:invoice_list' %}"><i class="fas fa-credit-card"></i> {% trans 'Treasury' %}</a>
                     </li>
                 {% endif %}
                 {% if "wei.weiclub"|not_empty_model_list %}
                     <li class="nav-item active">
-                        <a class="nav-link" href="{% url 'wei:current_wei_detail' %}"><i class="fa fa-bus"></i> {% trans 'WEI' %}</a>
+                        <a class="nav-link" href="{% url 'wei:current_wei_detail' %}"><i class="fas fa-bus"></i> {% trans 'WEI' %}</a>
+                    </li>
+                {% endif %}
+                <li class="nav-item active">
+                    <a class="nav-link" href="{% url 'permission:rights' %}"><i class="fas fa-balance-scale"></i> {% trans 'Rights' %}</a>
+                </li>
+                {% if user.is_staff %}
+                    <li class="nav-item active">
+                        <a class="nav-link" href="{% url 'admin:index' %}"><i class="fas fa-user-cog"></i> {% trans 'Administration' %}</a>
                     </li>
                 {% endif %}
             </ul>
@@ -121,28 +129,28 @@ SPDX-License-Identifier: GPL-3.0-or-later
                 {% if user.is_authenticated %}
                     <li class="dropdown">
                         <a class="nav-link dropdown-toggle" href="#" id="navbarDropdownMenuLink" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
-                            <i class="fa fa-user"></i>
+                            <i class="fas fa-user"></i>
                             <span id="user_balance">{{ user.username }} ({{ user.note.balance | pretty_money }})</span>
                         </a>
                         <div class="dropdown-menu dropdown-menu-right"
                              aria-labelledby="navbarDropdownMenuLink">
                             <a class="dropdown-item" href="{% url 'member:user_detail' pk=user.pk %}">
-                                <i class="fa fa-user"></i> Mon compte
+                                <i class="fas fa-user"></i> Mon compte
                             </a>
                             <a class="dropdown-item" href="{% url 'logout' %}">
-                                <i class="fa fa-sign-out"></i> Se déconnecter
+                                <i class="fas fa-sign-out-alt"></i> Se déconnecter
                             </a>
                         </div>
                     </li>
                 {% else %}
                     <li class="nav-item active">
                         <a class="nav-link" href="{% url 'registration:signup' %}">
-                            <i class="fa fa-user-plus"></i> S'inscrire
+                            <i class="fas fa-user-plus"></i> S'inscrire
                         </a>
                     </li>
                     <li class="nav-item active">
                         <a class="nav-link" href="{% url 'login' %}">
-                            <i class="fa fa-sign-in"></i> Se connecter
+                            <i class="fas fa-sign-in-alt"></i> Se connecter
                         </a>
                     </li>
                 {% endif %}
diff --git a/templates/permission/all_rights.html b/templates/permission/all_rights.html
new file mode 100644
index 00000000..85b47597
--- /dev/null
+++ b/templates/permission/all_rights.html
@@ -0,0 +1,52 @@
+{% extends "base.html" %}
+
+{% load i18n %}
+
+{% block content %}
+    {% if user.is_authenticated %}
+        <div class="form-check">
+            <label for="owned_only" class="form-check-label">
+                <input id="owned_only" name="owned_only" type="checkbox" class="checkboxinput form-check-input">
+                {% trans "Filter with roles that I have in at least one club" %}
+            </label>
+        </div>
+    {% endif %}
+    <ul>
+    {% regroup active_memberships by roles as memberships_per_role %}
+    {% for role in roles %}
+        <li class="{% if not role.clubs %}no-club{% endif %}">
+            {{ role }} {% if role.weirole %}(<em>Pour le WEI</em>){% endif %}
+            {% if role.clubs %}
+                <div class="alert alert-success">
+                    {% trans "Own this role in the clubs" %} {{ role.clubs|join:", " }}
+                </div>
+            {% endif %}
+            <ul>
+            {% for permission in role.permissions.permissions.all %}
+                <li data-toggle="tooltip" title="{% trans "Query:" %} {{ permission.query }}">{{ permission }} ({{ permission.type }} {{ permission.model }})</li>
+            {% empty %}
+                <em>{% trans "No associated permission" %}</em>
+            {% endfor %}
+            </ul>
+        </li>
+    {% endfor %}
+    </ul>
+{% endblock %}
+
+{% block extrajavascript %}
+    <script>
+    $(document).ready(function() {
+       let checkbox = $("#owned_only");
+
+       function update() {
+           if (checkbox.is(":checked"))
+               $(".no-club").addClass('d-none');
+           else
+               $(".no-club").removeClass('d-none');
+       }
+
+       checkbox.change(update);
+       update();
+    });
+    </script>
+{% endblock %}