Program Manager Permission Issue #533
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pxwxnvermx
reviewed
Mar 27, 2025
pxwxnvermx
reviewed
Apr 1, 2025
pxwxnvermx
reviewed
Apr 1, 2025
| @@ -19,7 +20,7 @@ | |||
| {% block content %} | |||
| <h2>Invoices</h2> | |||
| <hr /> | |||
| {% if not request.org_membership.is_program_manager %} | |||
| {% if not request|is_program_manager_for_opportunity:opportunity.id %} | |||
There was a problem hiding this comment.
Can we evaluate this function once in the view and pass this down through the context to use on this page? This will reduce the number of times this function is called.
There was a problem hiding this comment.
I see your point, and I partially agree. However, the main reason I implemented this as a template filter was to avoid explicitly passing the value from the view. This allows it to be accessed directly within the template when needed. Additionally, I think calling this function shouldn’t have a performance impact since the request object properties are already pre-cached—or do you see any potential concerns in this regard?
| @@ -52,7 +53,7 @@ <h1 class="mb-0">{{ object.name }}</h1> | |||
| {% translate "Review User Visits" %} | |||
| </a> | |||
| </li> | |||
| {% if request.org_membership.is_program_manager or request.user.is_superuser %} | |||
| @@ -21,7 +22,7 @@ <h2 class="mb-2">User Visit Review</h2> | |||
| <form method="get" x-data="" x-ref="reviewFilterForm"> | |||
| {% crispy review_filter.form %} | |||
| </form> | |||
| {% if request.org_membership.is_admin and request.org.program_manager %} | |||
| @@ -145,7 +146,7 @@ <h2 class="mb-2">Images</h2> | |||
| </dl> | |||
| {% endif %} | |||
| <div id="action-buttons" style="margin-bottom: 25px;"> | |||
| {% if request.org_membership.is_admin and request.org.program_manager or request.org_membership.is_viewer %} | |||
| {% if request.org_membership.is_admin and request|is_program_manager_for_opportunity:visit.opportunity.id or request.org_membership.is_viewer %} | |||
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Product Description
We had a security issue where an NM organization was also a PM organization in another program. Our current code allowed the NM organization to access all PM functionalities in an opportunity where it was only an NM. This PR fixes that issue.
Technical Summary
CCCT-880
Safety Assurance
Safety story
Tested the views on local.
Automated test coverage
All previous tests are passing
QA Plan
Raised a ticket for QA
Labels & Review