feat(permission groups): added automatic assigning of is_staff flag

Author: ikjelle

symfexit/adminsite/management/commands/create_permission_groups.py

@@ -11,3 +11,7 @@ def handle(self, *args, **options):
             code=WellKnownPermissionGroup.WellKnownPermissionGroups.VIEW_ALL
         )
         group_ref.update_permissions()
+        group_ref = WellKnownPermissionGroup.get_or_create(
+            code=WellKnownPermissionGroup.WellKnownPermissionGroups.CONTACT_PERSON
+        )
+        group_ref.update_permissions()

symfexit/adminsite/migrations/0004_alter_wellknownpermissiongroup_code.py

@@ -0,0 +1,18 @@
+# Generated by Django 5.2.7 on 2025-11-09 23:34
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('adminsite', '0003_groupflags'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='wellknownpermissiongroup',
+            name='code',
+            field=models.CharField(choices=[('view_all', 'View all'), ('contact_person', 'Contact person')], max_length=255, unique=True),
+        ),
+    ]

symfexit/adminsite/models.py

@@ -1,10 +1,13 @@
 from django.contrib.auth.models import Group, Permission
-from django.db import IntegrityError, models
+from django.db import IntegrityError, models, transaction
+from django.db.models.signals import post_delete, post_save
+from django.dispatch import receiver
 
 
 class WellKnownPermissionGroup(models.Model):
     class WellKnownPermissionGroups(models.TextChoices):
         VIEW_ALL = "view_all", "View all"
+        CONTACT_PERSON = "contact_person", "Contact person"
 
     code = models.CharField(
         unique=True,
@@ -50,6 +53,25 @@ def update_permissions(self):
                         Permission.objects.get(codename="view_membershipapplication"),
                     ]
                 )
+                try:
+                    flags = self.group.flags
+                except GroupFlags.DoesNotExist:
+                    flags = GroupFlags(group=self.group)
+                flags.members_become_staff = True
+
+            case WellKnownPermissionGroup.WellKnownPermissionGroups.CONTACT_PERSON:
+                self.group.permissions.set(
+                    [
+                        Permission.objects.get(codename="view_membership"),
+                        Permission.objects.get(codename="view_member"),
+                        Permission.objects.get(codename="change_member"),
+                    ]
+                )
+                try:
+                    flags = self.group.flags
+                except GroupFlags.DoesNotExist:
+                    flags = GroupFlags(group=self.group)
+                flags.members_become_staff = True
 
 
 class GroupFlags(models.Model):
@@ -64,3 +86,15 @@ class GroupFlags(models.Model):
 
     def __str__(self):
         return f"Flags for group {self.group}"
+
+
+def reset_user_staff(group: Group):
+    for user in group.user_set.all():
+        user.set_staff_rights()
+        user.save()
+
+
+@receiver(post_save, sender=GroupFlags)
+@receiver(post_delete, sender=GroupFlags)
+def on_group_change(sender, instance: GroupFlags, **kwargs):
+    transaction.on_commit(lambda: reset_user_staff(instance.group))

symfexit/members/models.py

@@ -8,6 +8,8 @@
 from django.utils import timezone
 from django.utils.translation import gettext_lazy as _
 
+from symfexit.adminsite.models import GroupFlags, WellKnownPermissionGroup
+
 
 def generate_member_number():
     largest_member_number = User.objects.all().order_by("-member_identifier").first()
@@ -133,18 +135,26 @@ def email_user(self, subject, message, from_email=None, **kwargs):
         send_mail(subject, message, from_email, [self.email], **kwargs)
 
     def set_staff_rights(self) -> bool:
-        if self.is_superuser:
-            # This should already be set to True
-            self.is_staff = True
-            return True
-
-        # Staff via group permission
-        staff_via_group = self.groups.filter(flags__members_become_staff=True).exists()
-
-        # Staff via being contact person
-        staff_via_localgroup = self.contact_person_for_groups.count() >= 1
-
-        self.is_staff = staff_via_group or staff_via_localgroup
+        # Add/remove user to contact person permission group
+        contact_person_group = WellKnownPermissionGroup.get_or_create(
+            WellKnownPermissionGroup.WellKnownPermissionGroups.CONTACT_PERSON
+        )
+        is_contact_person = self.contact_person_for_groups.count() >= 1
+        if is_contact_person:
+            contact_person_group.group.user_set.add(self)
+        else:
+            contact_person_group.group.user_set.remove(self)
+
+        # set user as staff, if any group requires it
+        for group in self.groups.all():
+            try:
+                if group.flags.members_become_staff:
+                    self.is_staff = True
+                    break
+            except GroupFlags.DoesNotExist:
+                pass
+        else:
+            self.is_staff = False
         return self.is_staff
 
 
@@ -170,7 +180,7 @@ def __str__(self):
 # START Signals for is_staff updating
 
 
-def update_user_staff_rights(users):
+def update_user_staff_rights(users: list[User]):
     for user in users:
         user.set_staff_rights()
     User.objects.bulk_update(users, ["is_staff"])
@@ -181,8 +191,10 @@ def user_groups_changed(sender, instance, action, pk_set, **kwargs):
     if action not in ["post_add", "post_remove", "post_clear"]:
         return
 
-    # instance is the user being modified
-    update_user_staff_rights([instance])
+    # Ensure instance is a User object and not a group
+    if isinstance(instance, User):
+        # Call your function to update user rights
+        update_user_staff_rights([instance])
 
 
 @receiver(m2m_changed, sender=LocalGroup.contact_people.through)