From fdcc103571196f0900b43f90b7eac8460972f348 Mon Sep 17 00:00:00 2001
From: Jens Kleineheismann <heinzel@alpenverein-karlsruhe.de>
Date: Mon, 29 Jan 2018 17:53:29 +0100
Subject: [PATCH] Improved authorization.

---
 .../templates/dav_events/event_detail.html    |  8 +++---
 dav_events/views/events.py                    | 27 ++++++++++++++++---
 2 files changed, 27 insertions(+), 8 deletions(-)

diff --git a/dav_events/templates/dav_events/event_detail.html b/dav_events/templates/dav_events/event_detail.html
index 8c48cab..c149cf6 100644
--- a/dav_events/templates/dav_events/event_detail.html
+++ b/dav_events/templates/dav_events/event_detail.html
@@ -14,12 +14,12 @@
             <a class="btn"
                href="{% url 'dav_events:event_detail' event.pk %}">{% trans 'Details' %}</a>
         </li>
-        <li class="{% if not has_permission_accept or event.accepted %}disabled{% endif %}">
-            <a class="btn {% if has_permission_accept and not event.accepted %}btn-success{% else %}disabled{% endif %}"
+        <li class="{% if not has_permission_accept %}disabled{% endif %}">
+            <a class="btn {% if has_permission_accept %}btn-success{% else %}disabled{% endif %}"
                href="{% url 'dav_events:event_accept' event.pk %}">{% trans 'Freigeben' %}</a>
         </li>
-        <li class="{% if not has_permission_update or event.accepted %}disabled{% endif %}">
-            <a class="btn {% if has_permission_update and not event.accepted %}btn-warning{% else %}disabled{% endif %}"
+        <li class="{% if not has_permission_update %}disabled{% endif %}">
+            <a class="btn {% if has_permission_update %}btn-warning{% else %}disabled{% endif %}"
                href="{% url 'dav_events:event_update' event.pk %}">{% trans 'Ändern' %}</a>
         </li>
         <li class="disabled">
diff --git a/dav_events/views/events.py b/dav_events/views/events.py
index b941305..a37f30a 100644
--- a/dav_events/views/events.py
+++ b/dav_events/views/events.py
@@ -31,12 +31,20 @@ class EventListView(generic.ListView):
         elif has_role(user, 'manage_all'):
             qs = self.model.objects.all()
         else:
+            filter = Q(owner=user)
+
             user_sports_list = list()
             for k in ('W', 'S', 'M', 'K', 'B'):
                 role = 'manage_{}'.format(k.lower())
                 if has_role(user, role):
                     user_sports_list.append(k)
-            qs = self.model.objects.filter(Q(owner=user) | Q(sport__in=user_sports_list))
+
+            filter |= Q(sport__in=user_sports_list)
+
+            if has_role(user, 'publish') or has_role(user, 'publish_incremental'):
+                filter |= Q(accepted=True)
+
+            qs = self.model.objects.filter(filter)
 
         return qs
 
@@ -110,10 +118,21 @@ class EventPermissionMixin(object):
                 return True
             if has_role(user, 'manage_{}'.format(obj.sport.lower())):
                 return True
-        elif permission in ('update', 'accept'):
-            if has_role(user, 'manage_all'):
+            if obj.accepted and (has_role(user, 'publish') or has_role(user, 'publish_incremental')):
                 return True
-            if has_role(user, 'manage_{}'.format(obj.sport.lower())):
+        elif permission == 'accept':
+            if not obj.accepted:
+                if has_role(user, 'manage_all'):
+                    return True
+                if has_role(user, 'manage_{}'.format(obj.sport.lower())):
+                    return True
+        elif permission == 'update':
+            if not obj.accepted:
+                if has_role(user, 'manage_all'):
+                    return True
+                if has_role(user, 'manage_{}'.format(obj.sport.lower())):
+                    return True
+            elif has_role(user, 'publish') or has_role(user, 'publish_incremental'):
                 return True
 
         return False