From 1fd491b0dc5f0d2aebaff4b3aaf2a5e02c4854d3 Mon Sep 17 00:00:00 2001 From: Fredrik Jonsson Date: Tue, 17 Mar 2026 08:29:39 +0100 Subject: [PATCH 1/3] Fix bugs in fund permissions. --- hypha/apply/funds/permissions.py | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/hypha/apply/funds/permissions.py b/hypha/apply/funds/permissions.py index 2a1d6bb9fc..581e19c34d 100644 --- a/hypha/apply/funds/permissions.py +++ b/hypha/apply/funds/permissions.py @@ -55,10 +55,12 @@ def view_comments(role, user, submission) -> bool: if role == StaffAdmin: return True - if is_user_has_access_to_view_submission(user, submission): + submission_view, _ = can_view_submission(user, submission) + if submission_view: return True - if submission.project and can_access_project(user, submission.project): + project = getattr(submission, "project", None) + if project and can_access_project(user, project): return True return False @@ -156,10 +158,8 @@ def can_alter_archived_submissions(user, submission=None) -> (bool, str): def can_bulk_archive_submissions(user) -> bool: - if can_alter_archived_submissions(user) and can_bulk_delete_submissions(user): - return True - - return False + can_alter, _ = can_alter_archived_submissions(user) + return can_alter and can_bulk_delete_submissions(user) def can_change_external_reviewers(user, submission) -> bool: @@ -202,7 +202,7 @@ def can_export_submissions(user) -> bool: return False -def is_user_has_access_to_view_submission(user, submission): +def can_view_submission(user, submission): if not user.is_authenticated: return False, "Login Required" @@ -224,7 +224,7 @@ def is_user_has_access_to_view_submission(user, submission): def can_view_submission_screening(user, submission): - submission_view, _ = is_user_has_access_to_view_submission(user, submission) + submission_view, _ = can_view_submission(user, submission) if not submission_view: return False, "No access to view submission" if submission.user == user: @@ -235,10 +235,11 @@ def can_view_submission_screening(user, submission): def can_invite_co_applicants(user, submission): if submission.is_archive: return False, "Co-applicant can't be added to archived submission" - if hasattr(submission, "project"): + project = getattr(submission, "project", None) + if project: from hypha.apply.projects.models.project import COMPLETE - if submission.project.status == COMPLETE: + if project.status == COMPLETE: return False, "Co-applicants can't be invited to completed projects" if ( submission.co_applicant_invites.all().count() @@ -263,10 +264,11 @@ def can_view_co_applicants(user, submission): def can_update_co_applicant(user, invite): if invite.submission.is_archive: return False, "Co-applicant can't be updated to archived submission" - if hasattr(invite.submission, "project"): + project = getattr(invite.submission, "project", None) + if project: from hypha.apply.projects.models.project import COMPLETE - if invite.submission.project.status == COMPLETE: + if project.status == COMPLETE: return False, "Co-applicants can't be updated to completed projects" if invite.invited_by == user: return True, "Same user who invited can delete the co-applicant" @@ -285,7 +287,7 @@ def user_can_view_post_comment_form(user, submission): permissions_map = { - "submission_view": is_user_has_access_to_view_submission, + "submission_view": can_view_submission, "submission_edit": can_edit_submission, "submission_action": can_take_submission_actions, "can_view_submission_screening": can_view_submission_screening, From c670e82c09d0c33a26b9f7db1d179bdcd1b419fe Mon Sep 17 00:00:00 2001 From: Fredrik Jonsson Date: Tue, 17 Mar 2026 10:09:56 +0100 Subject: [PATCH 2/3] Clearer co-applicant permission handeling. --- hypha/apply/funds/permissions.py | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/hypha/apply/funds/permissions.py b/hypha/apply/funds/permissions.py index 581e19c34d..0cb7b65c66 100644 --- a/hypha/apply/funds/permissions.py +++ b/hypha/apply/funds/permissions.py @@ -38,12 +38,9 @@ def can_edit_submission(user, submission): if submission.phase.permissions.can_edit(user): co_applicant = submission.co_applicants.filter(user=user).first() if co_applicant: - if co_applicant.role not in [CoApplicantRole.VIEW, CoApplicantRole.COMMENT]: - return ( - True, - "Co-applicant with read/view only or comment access can't edit submission", - ) - return False, "" + if co_applicant.role == CoApplicantRole.EDIT: + return True, "Co-applicant with edit role can edit submission" + return False, "Co-applicant does not have edit role" return True, "User can edit in current phase" return False, "" @@ -147,6 +144,7 @@ def get_archive_alter_groups() -> list: def can_alter_archived_submissions(user, submission=None) -> (bool, str): """ Return a boolean based on if a user can alter archived submissions + (submission is accepted for compatibility with permissions_map but not used) """ archive_access_groups = get_archive_alter_groups() @@ -242,7 +240,7 @@ def can_invite_co_applicants(user, submission): if project.status == COMPLETE: return False, "Co-applicants can't be invited to completed projects" if ( - submission.co_applicant_invites.all().count() + submission.co_applicant_invites.count() >= settings.SUBMISSIONS_COAPPLICANT_INVITES_LIMIT ): return False, "Limit reached for this submission" From 733c5e85fa0f05ccb5960c2a362f71f5202be6c1 Mon Sep 17 00:00:00 2001 From: Fredrik Jonsson Date: Wed, 25 Mar 2026 08:36:00 +0100 Subject: [PATCH 3/3] Fix bugs in project permissions. --- hypha/apply/funds/permissions.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/hypha/apply/funds/permissions.py b/hypha/apply/funds/permissions.py index 0cb7b65c66..ee555ce4cd 100644 --- a/hypha/apply/funds/permissions.py +++ b/hypha/apply/funds/permissions.py @@ -57,8 +57,10 @@ def view_comments(role, user, submission) -> bool: return True project = getattr(submission, "project", None) - if project and can_access_project(user, project): - return True + if project: + can_access, _ = can_access_project(user, project) + if can_access: + return True return False