✨ add is_crew attribute to users to differ between employee and admin access

froide/account/models.py

@@ -1,6 +1,7 @@
 import json
 import os
 import re
+from functools import cached_property
 from re import Pattern
 from typing import Dict, List, Optional, Tuple, Union
 
@@ -243,6 +244,13 @@ def get_dict(self, fields):
     def trusted(self) -> bool:
         return self.is_trusted or self.is_staff or self.is_superuser
 
+    @cached_property
+    def is_crew(self) -> bool:
+        if hasattr(settings, "CREW_GROUP") and settings.CREW_GROUP:
+            return self.groups.filter(pk=settings.CREW_GROUP).exists()
+        else:
+            return self.is_staff
+
     @classmethod
     def export_csv(cls, queryset, fields=None):
         if fields is None:

froide/document/filters.py

@@ -58,7 +58,7 @@ def filter_foirequest(self, qs, name, value):
 
 
 def get_portal_queryset(request):
-    if not request.user.is_staff:
+    if not request.user.is_crew:
         return DocumentPortal.objects.filter(public=True)
     return DocumentPortal.objects.all()
 

froide/foirequest/views/attachment.py

@@ -70,7 +70,7 @@ def approve_attachment(request, foirequest, attachment_id):
     att = get_object_or_404(
         FoiAttachment, id=attachment_id, belongs_to__request=foirequest
     )
-    if not att.can_approve and not request.user.is_staff:
+    if not att.can_approve and not request.user.is_crew:
         return render_403(request)
 
     # hard guard against publishing of non publishable requests

froide/helper/auth.py

@@ -148,7 +148,7 @@ def get_read_queryset(
     codename = get_permission_codename("view", opts)
     if (
         token is None
-        and user.is_staff
+        and user.is_crew
         and user.has_perm("%s.%s" % (opts.app_label, codename))
     ):
         return qs
@@ -188,7 +188,7 @@ def get_write_queryset(
     codename = get_permission_codename("change", opts)
     if (
         token is None
-        and user.is_staff
+        and user.is_crew
         and user.has_perm("%s.%s" % (opts.app_label, codename))
     ):
         return qs
@@ -225,9 +225,9 @@ def get_user_filter(request, teams=None, fk_path=None):
     return filter_arg
 
 
-def require_staff(view_func):
+def require_crew(view_func):
     def decorator(request, *args, **kwargs):
-        if not hasattr(request, "user") or not request.user.is_staff:
+        if not request.user.is_crew:
             raise PermissionDenied
         return view_func(request, *args, **kwargs)
 

froide/settings.py

@@ -119,6 +119,10 @@ def MFA_SITE_TITLE(self):
 
     MANAGERS = ADMINS
 
+    # instead of relying on user's `is_staff` attribute, you can also
+    # specify a user group that should be considered as "crew"
+    CREW_GROUP = None
+
     INTERNAL_IPS = values.TupleValue(("127.0.0.1",))
 
     # ############## PATHS ###############