From 2561f2af0177632c2cdfb4a8cfa215a393b60e65 Mon Sep 17 00:00:00 2001 From: Sebastian Blom Date: Thu, 21 May 2026 11:42:02 +0200 Subject: [PATCH 1/3] references in application --- backend/backend/admin.py | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/backend/backend/admin.py b/backend/backend/admin.py index 88dc13b..a571487 100644 --- a/backend/backend/admin.py +++ b/backend/backend/admin.py @@ -220,6 +220,16 @@ def formfield_for_foreignkey(self, db_field, request, **kwargs): kwargs["queryset"] = Role.objects.filter(team_id__in=team_ids) return super().formfield_for_foreignkey(db_field, request, **kwargs) +class ReferenceInline(admin.TabularInline): + model = Reference + extra = 0 + readonly_fields = ("name", "phone_num", "title", "email", "comment") + can_delete = False + search_fields = ("name", "email", "application__member__name") + list_filter_submit = True + + def has_add_permission(self, request): + return False @admin.register(Application) class ApplicationAdmin(AppointerTeamScopeMixin, ModelAdmin): @@ -232,6 +242,7 @@ class ApplicationAdmin(AppointerTeamScopeMixin, ModelAdmin): "member__email", ) list_filter_submit = True + inlines = [ReferenceInline] actions_row = ("appoint_application", "turn_down_application") actions_detail = ("appoint_application", "turn_down_application") @@ -314,16 +325,6 @@ def formfield_for_foreignkey(self, db_field, request, **kwargs): def has_add_permission(self, request): return False - -@admin.register(Reference) -class ReferenceAdmin(ModelAdmin): - list_display = ("name", "application", "email", "phone_num", "title") - search_fields = ("name", "email", "application__member__name") - list_filter_submit = True - - def has_add_permission(self, request): - return False - class StudyProgramInline(admin.TabularInline): model = StudyProgram extra = 1 From 69fe060efd76ac355e8273857a91daba8893a7b2 Mon Sep 17 00:00:00 2001 From: Sebastian Blom Date: Thu, 21 May 2026 11:55:01 +0200 Subject: [PATCH 2/3] put references in application view --- backend/backend/admin.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/backend/backend/admin.py b/backend/backend/admin.py index a571487..b884dca 100644 --- a/backend/backend/admin.py +++ b/backend/backend/admin.py @@ -225,10 +225,8 @@ class ReferenceInline(admin.TabularInline): extra = 0 readonly_fields = ("name", "phone_num", "title", "email", "comment") can_delete = False - search_fields = ("name", "email", "application__member__name") - list_filter_submit = True - def has_add_permission(self, request): + def has_add_permission(self, request, _obj=None): return False @admin.register(Application) From 2385663fe349832e5418720f19d1c0290b49691c Mon Sep 17 00:00:00 2001 From: Ebin Bellini Date: Thu, 28 May 2026 18:37:53 +0200 Subject: [PATCH 3/3] Fix references permissions Also fixed a bug causing the request to fail when deleting multiple applications in one go. --- backend/backend/admin.py | 41 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/backend/backend/admin.py b/backend/backend/admin.py index b884dca..2d5ad6f 100644 --- a/backend/backend/admin.py +++ b/backend/backend/admin.py @@ -57,6 +57,10 @@ def has_view_permission(self, request, obj=None): return False if obj is None: return True + if not hasattr(obj, "_meta"): + obj = self.get_object(request, obj) + if obj is None: + return False return self.get_object_team_id(obj) in self._get_appointer_team_ids( request.user ) @@ -83,6 +87,12 @@ def get_queryset(self, request): return queryset.filter(**self.get_team_filter(team_ids)).distinct() + def delete_queryset(self, request, queryset): + pk_list = list(queryset.values_list("pk", flat=True)) + if not pk_list: + return + self.model._default_manager.filter(pk__in=pk_list).delete() + @admin.register(Group) class GroupAdmin(BaseGroupAdmin, ModelAdmin): @@ -226,6 +236,37 @@ class ReferenceInline(admin.TabularInline): readonly_fields = ("name", "phone_num", "title", "email", "comment") can_delete = False + def _get_appointer_team_ids(self, user): + if not user or not user.is_authenticated or user.is_superuser: + return [] + + if hasattr(user, "get_appointer_team_ids"): + return user.get_appointer_team_ids() + + return [] + + def _has_application_scope(self, request, obj=None): + if request.user.is_superuser: + return True + + team_ids = self._get_appointer_team_ids(request.user) + if not team_ids: + return False + + if obj is None: + return True + + return obj.position.role.team_id in team_ids + + def has_view_permission(self, request, obj=None): + return self._has_application_scope(request, obj) + + def has_change_permission(self, request, obj=None): + return self._has_application_scope(request, obj) + + def has_delete_permission(self, request, obj=None): + return self._has_application_scope(request, obj) + def has_add_permission(self, request, _obj=None): return False