refactor and split up permissions checks and improve .save conditio…

…nals
CenterForOpenScience · Jan 9, 2025 · d1a7412 · d1a7412
1 parent 52d1a43
commit d1a7412
Show file tree

Hide file tree

Showing 6 changed files with 32 additions and 25 deletions.
diff --git a/api/requests/permissions.py b/api/requests/permissions.py
@@ -81,7 +81,7 @@ def has_permission(self, request, view):
         if not institution.institutional_request_access_enabled:
             raise exceptions.PermissionDenied({'institution': 'Institutional request access is not enabled.'})
 
-        if get_user_auth(request).user.is_institutional_admin_or_curator(institution):
+        if get_user_auth(request).user.is_institutional_admin_at(institution):
             return True
         else:
             raise exceptions.PermissionDenied({'institution': 'You do not have permission to perform this action for this institution.'})

diff --git a/api/users/permissions.py b/api/users/permissions.py
@@ -79,6 +79,6 @@ def has_permission(self, request, view) -> bool:
 
         message_type = request.data.get('message_type')
         if message_type == MessageTypes.INSTITUTIONAL_REQUEST:
-            return user.is_institutional_admin_or_curator(institution) and institution.institutional_request_access_enabled
+            return user.is_institutional_admin_at(institution) and institution.institutional_request_access_enabled
         else:
             raise exceptions.ValidationError('Not valid message type.')
diff --git a/api/users/serializers.py b/api/users/serializers.py
@@ -760,7 +760,7 @@ def create(self, validated_data: Dict[str, Any]) -> UserMessage:
             'institution',
         )
 
-        if not sender.is_institutional_admin_or_curator(institution):
+        if not sender.is_institutional_admin_at(institution):
             raise Conflict({'sender': 'Only institutional administrators can create messages.'})
 
         if not recipient.is_affiliated_with_institution(institution):

diff --git a/osf/models/contributor.py b/osf/models/contributor.py
@@ -43,12 +43,11 @@ class Meta:
         order_with_respect_to = 'node'
 
     def save(self, *args, **kwargs):
-        if not self.user.is_institutional_admin_or_curator():
-            return super().save(*args, **kwargs)
-        elif self.visible:
-            raise IntegrityError('Curators cannot be made bibliographic contributors')
-        else:
-            return super().save(*args, **kwargs)
+        if self.user.is_institutional_admin():
+            if self.visible:
+                raise IntegrityError('Curators cannot be made bibliographic contributors')
+
+        return super().save(*args, **kwargs)
 
 
 class PreprintContributor(AbstractBaseContributor):

diff --git a/osf/models/user.py b/osf/models/user.py
@@ -644,25 +644,33 @@ def osf_groups(self):
         OSFGroup = apps.get_model('osf.OSFGroup')
         return get_objects_for_user(self, 'member_group', OSFGroup, with_superuser=False)
 
-    def is_institutional_admin_or_curator(self, institution=None, node=None):
+    def is_institutional_admin_at(self, institution):
         """
-        Checks if user is admin of any or of a specific institution, or and curator on a specific node.
+        Checks if user is admin of a specific institution.
         """
-        if node:
-            return Contributor.objects.filter(
-                node=node,
-                user=self,
-                is_curator=True,
-            ).exists()
+        return self.has_perms(
+            institution.groups['institutional_admins'],
+            institution
+        )
 
-        if not institution:
-            return self.groups.filter(
-                name__startswith='institution_',
-                name__endswith='_institutional_admins'
-            ).exists()
+    def is_institutional_admin(self):
+        """
+        Checks if user is admin of any institution.
+        """
+        return self.groups.filter(
+            name__startswith='institution_',
+            name__endswith='_institutional_admins'
+        ).exists()
 
-        group_name = institution.format_group('institutional_admins')
-        return self.groups.filter(name=group_name).exists()
+    def is_institutional_curator(self, node):
+        """
+        Checks if user is user has curator permissions for a node.
+        """
+        return Contributor.objects.filter(
+            node=node,
+            user=self,
+            is_curator=True,
+        ).exists()
 
     def group_role(self, group):
         """

diff --git a/website/profile/utils.py b/website/profile/utils.py
@@ -33,7 +33,7 @@ def serialize_user(user, node=None, admin=False, full=False, is_profile=False, i
         'surname': user.family_name,
         'fullname': fullname,
         'shortname': fullname if len(fullname) < 50 else fullname[:23] + '...' + fullname[-23:],
-        'is_curator': user.is_institutional_admin_or_curator(node=node),
+        'is_curator': user.is_institutional_curator(node),
         'profile_image_url': user.profile_image_url(size=settings.PROFILE_IMAGE_MEDIUM),
         'active': user.is_active,
     }