Skip to content

Commit

Permalink
feat: prevent org admins from changing fields on the organisation
Browse files Browse the repository at this point in the history 
This commit makes the main fields of an organisation for organisation
admins read-only.

Additionally this fixes two bugs:

1. Fetch title from backend (was always None)
2. Do not display comment field (was always empty)
  • Loading branch information
@open-dynaMIX
open-dynaMIX committed Jan 23, 2025
1 parent b9b00e2 commit 3ee7cca
Show file tree
Hide file tree
Showing 3 changed files with 24 additions and 7 deletions.
8 changes: 8 additions & 0 deletions api/mysagw/identity/serializers.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -309,6 +309,7 @@ class Meta:
"first_name",
"last_name",
"salutation",
"title",
"language",
"is_organisation",
"organisation_name",
Expand All @@ -320,6 +321,13 @@ class Meta:
)
extra_kwargs = {
"idp_id": {"read_only": True},
"email": {"read_only": True},
"organisation_name": {"read_only": True},
"first_name": {"read_only": True},
"last_name": {"read_only": True},
"salutation": {"read_only": True},
"title": {"read_only": True},
"language": {"read_only": True},
"is_organisation": {"read_only": True},
"is_expert_association": {"read_only": True},
"is_advisory_board": {"read_only": True},
Expand Down
6 changes: 4 additions & 2 deletions api/mysagw/identity/tests/test_me_views.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -96,17 +96,19 @@ def test_me_update(db, client):
"authorized",
[True, False],
)
def test_my_orgs_update(db, client, authorized, membership_factory):
def test_my_orgs_update_readonly(db, client, authorized, membership_factory):
identity = client.user.identity
membership = membership_factory(identity=identity, authorized=authorized)
membership.organisation.organisation_name = "Foo"
membership.organisation.save()

url = reverse("my-orgs-detail", args=[str(membership.organisation.pk)])

data = {
"data": {
"type": "identities",
"id": str(membership.organisation.pk),
"attributes": {"organisation-name": "Foo"},
"attributes": {"organisation-name": "Bar"},
},
}

Expand Down
17 changes: 12 additions & 5 deletions ember/app/ui/components/identity-form/template.hbs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,10 +59,7 @@
<Form.input
@label={{t "components.identity-form.label.organisationName"}}
@name="organisationName"
@disabled={{or
(cannot "edit identity" this.changeset.data)
@readOnlyView
}}
@disabled="true"
/>
{{/if}}
<div class="uk-child-width-expand@s" uk-grid>
Expand All @@ -77,6 +74,7 @@
@disabled={{or
(cannot "edit identity" this.changeset.data)
@readOnlyView
@customEndpoint
}}
/>
</div>
Expand All @@ -91,6 +89,7 @@
@disabled={{or
(cannot "edit identity" this.changeset.data)
@readOnlyView
@customEndpoint
}}
/>
</div>
Expand All @@ -103,6 +102,7 @@
@disabled={{or
(cannot "edit identity" this.changeset.data)
@readOnlyView
@customEndpoint
}}
/>
</div>
Expand All @@ -113,6 +113,7 @@
@disabled={{or
(cannot "edit identity" this.changeset.data)
@readOnlyView
@customEndpoint
}}
/>
</div>
Expand All @@ -135,6 +136,7 @@
this.changeset.idpId
(cannot "edit identity" this.changeset.data)
@readOnlyView
@customEndpoint
}}
value={{field.value}}
{{on "input" (fn this.eventTarget field.update)}}
Expand Down Expand Up @@ -165,6 +167,7 @@
@disabled={{or
(cannot "edit identity" this.changeset.data)
@readOnlyView
@customEndpoint
}}
/>

Expand All @@ -175,11 +178,15 @@
@disabled={{cannot "edit identity" this.changeset.data}}
/>
</div>
{{else if (not @readOnlyView)}}
{{else if (not @readOnlyView @customEndpoint)}}
<Form.input
@label={{t "components.identity-form.label.comment"}}
@name="comment"
@type="textarea"
@disabled={{or
(cannot "edit identity" this.changeset.data)
@customEndpoint
}}
/>

<p class="uk-flex uk-flex-between">
Expand Down

0 comments on commit 3ee7cca

Please sign in to comment.