Merge pull request #492 from ColonelThirtyTwo/move-reports

Allow staff to change a report's project
GhostManager · Sep 25, 2024 · 2d40b2f · 2d40b2f
2 parents 48c5eb6 + 1c06771
commit 2d40b2f
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 8 deletions.
diff --git a/ghostwriter/reporting/forms.py b/ghostwriter/reporting/forms.py
@@ -25,7 +25,7 @@
 )
 
 # Ghostwriter Libraries
-from ghostwriter.api.utils import get_client_list, get_project_list
+from ghostwriter.api.utils import get_client_list, get_project_list, verify_user_is_privileged
 from ghostwriter.commandcenter.forms import ExtraFieldsField
 from ghostwriter.commandcenter.models import ReportConfiguration
 from ghostwriter.modules.custom_layout_object import SwitchToggle
@@ -286,19 +286,26 @@ class Meta:
 
     def __init__(self, user=None, project=None, *args, **kwargs):
         super().__init__(*args, **kwargs)
-        # If this is an update, mark the project field as read-only
+        # Don't allow non-manager users to move a report's project
         instance = getattr(self, "instance", None)
+        user_is_privileged = verify_user_is_privileged(user)
         if instance and instance.pk:
-            self.fields["project"].disabled = True
+            if user is None or not user_is_privileged:
+                self.fields["project"].disabled = True
 
-        # Limit the list to the pre-selected project and disable the field
-        if project:
+        # If there is a project and user is not privileged,
+        # limit the list to the pre-selected project and disable the field
+        if project and not user_is_privileged:
             self.fields["project"].queryset = Project.objects.filter(pk=project.pk)
             self.fields["project"].disabled = True
 
-        if not project:
+        # If no project is selected, limit the list to what the user can access
+        # Checks for privilege so that privileged users get a list with only active projects
+        if not project or user_is_privileged:
             projects = get_project_list(user)
-            active_projects = projects.filter(complete=False).order_by("-start_date", "client", "project_type").defer("extra_fields")
+            active_projects = (
+                projects.filter(complete=False).order_by("-start_date", "client", "project_type").defer("extra_fields")
+            )
             if active_projects:
                 self.fields["project"].empty_label = "-- Select an Active Project --"
             else:

diff --git a/ghostwriter/reporting/views.py b/ghostwriter/reporting/views.py
@@ -1641,7 +1641,12 @@ def handle_no_permission(self):
 
     def get_form_kwargs(self):
         kwargs = super().get_form_kwargs()
-        kwargs.update({"project": self.get_object().project, "user": self.request.user})
+        kwargs.update(
+            {
+                "project": self.get_object().project,
+                "user": self.request.user,
+            }
+        )
         return kwargs
 
     def get_context_data(self, **kwargs):