✨ allow specification of staff group instead of User.is_staff for `…

…@is_staff` `is_staff` is required for accessing the admin, which may also be non-staff
okfde · Nov 4, 2024 · e853686 · e853686
1 parent 473c57e
commit e853686
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 1 deletion.
diff --git a/froide/helper/auth.py b/froide/helper/auth.py
@@ -1,10 +1,12 @@
 from functools import lru_cache, reduce
 from operator import or_
 
+from django.conf import settings
 from django.contrib.auth import get_permission_codename
 from django.core.exceptions import PermissionDenied
 from django.db.models import Q
 
+from froide.account.models import User
 from froide.team.models import Team
 
 AUTH_MAPPING = {
@@ -225,9 +227,16 @@ def get_user_filter(request, teams=None, fk_path=None):
     return filter_arg
 
 
+def is_staff(user: User) -> bool:
+    if hasattr(settings, "STAFF_GROUP") and settings.STAFF_GROUP:
+        return user.groups.filter(pk=settings.STAFF_GROUP).exists()
+    else:
+        return user.is_staff
+
+
 def require_staff(view_func):
     def decorator(request, *args, **kwargs):
-        if not hasattr(request, "user") or not request.user.is_staff:
+        if not is_staff(request.user):
             raise PermissionDenied
         return view_func(request, *args, **kwargs)
 

diff --git a/froide/settings.py b/froide/settings.py
@@ -119,6 +119,10 @@ def MFA_SITE_TITLE(self):
 
     MANAGERS = ADMINS
 
+    # instead of relying on user's `is_staff` attribute, you can also
+    # specify a user group that should be considered as staff
+    STAFF_GROUP = None
+
     INTERNAL_IPS = values.TupleValue(("127.0.0.1",))
 
     # ############## PATHS ###############