Sunday, September 3, 2017

Custom permissions for the detail action (continued)

We now have a new method lino.core.actions.Action.get_label(). This caused also a few code changes in the renderer of ExtJS 6 front end.

This change was needed because lino.core.actors.Actor._collect_actions() now attaches also the library actions, which caused the label property of the actors of these to be read already during startup for these actions as well. This caused a problem for actors with a dynamic label because they do a database lookup (e.g. lino_book.projects.actors; en passant I converted the index.rst file of that demo project to The label of the actor). Oh yes, this is historically grown and poorly documented code.

Another question was: Can teachers (in Lino Avanti) confirm an enrolment? This is what changed with the new feature, and it made the Avanti test suite fail. Laura should not have permission to confirm that enrolment because the author is another user (nathalie) and Laura is just a teacher.

>>> from lino import startup
>>> startup('lino_book.projects.adg.settings.demo')
>>> from lino.api.doctest import *
>>> ar = rt.login('laura')
>>> user_type = ar.get_user().user_type
>>> user_type
<users.UserTypes.teacher:100>
>>> user_type.role
... 
<lino_avanti.lib.avanti.user_types.Teacher object at ...>
>>> obj = rt.models.courses.Enrolment.objects.get(pk=9)
>>> obj.user
User #5 ('nathalie')
>>> obj.wf1.get_row_permission(ar)
True
>>> ba = obj.wf1.bound_action
>>> ba.actor.get_row_state(obj)
<EnrolmentStates.requested:10>
>>> ba.actor
lino_xl.lib.courses.desktop.Enrolments
>>> ba.actor.get_row_permission(obj, ar, obj.state, ba)
True
>>> obj.get_row_permission(ar, obj.state, ba)
True
>>> obj.manager_roles_required
set([<class 'lino.core.roles.SiteUser'>])

Okay now I see. It’s because I added the SiteUser role to the Teacher user type. And that was correct: teachers are site users.

The manager_roles_required attribute on Enrolment is not SiteStaff but :class:`SiteUser. It is defined as:

manager_roles_required = dd.login_required()

So it is “normal” that every site user can edit the state of enrolments made by other users. It was rather a bug that in Avanti this was not allowed because Teacher (by mistake) was lacking the SiteUser role.