Allows a user other than the submitter to edit a review request if he has permissions.

Review Request #386 — Created May 15, 2008 and submitted

Information

Review Board SVN (deprecated)
trunk

Reviewers

This is a very little patch to allow a user that has permissions to edit a review. The djblet (ifuserorperm) was already there to help doing it. I just replaced 'ifequal request.user review_request.submitter' by 'ifuserorperm review_request.submitter "reviews.<some permission>"' in a few places.
I could not find documentation that explain the meaning of each permission. So verify that I used them in the right context.
Note that I allowed a user that has change_review_request but not can_change_status to Publish a review request. It didn't make sense to me to allow them to change but not to publish.

The option that need to be set under the admin page to allow access is: "reviews | review request | can change review"

(update - 2nd patch)
To be consistent with your comments, I've added a permission and modified the is_mutable_by() function. I haven't seen any side effects. It seems like the function was mainly using the first  conditional.
It's been tested on our server by opening reviews with users that both have the permission and that don't have it.
chipx86
  1. This looks fine though I think we need to discuss if we want to reuse the change_reviewrequest permission or if we want something else. The change_reviewrequest is generally meant for the admin UI, but reusing it is probably okay.
    1. I'm almost tempted to say that we should avoid the permission flags created by contrib.admin entirely and create our own set of ACL properties.
    2. I think I agree.
    3. I didn't realize that those permissions were coming from the django administration. I guess it explains why they were not being used :-)
      Creating your own permission makes sense.
      Do you have an idea of the interface to present those, should we add them to the current list ?
    4. I added a new permission called 'can_edit_reviewrequest'. However digging deeper, I noticed that the function is_mutable_by() from reviews/models.py is reacting on the 'change_reviewrequest' permission. 
      It seems to be used outside the scope of the Admin UI. Is that intended? 
      Which way would you like to go ?
      
  2. 
      
FR
david
  1. Committed as r1375.  Thanks!
  2. 
      
Loading...