From 3ee7cca3f1e6c3ce8c64268529011456f2089478 Mon Sep 17 00:00:00 2001 From: Fabio Ambauen Date: Thu, 23 Jan 2025 14:56:33 +0100 Subject: [PATCH] feat: prevent org admins from changing fields on the organisation This commit makes the main fields of an organisation for organisation admins read-only. Additionally this fixes two bugs: 1. Fetch title from backend (was always None) 2. Do not display comment field (was always empty) --- api/mysagw/identity/serializers.py | 8 ++++++++ api/mysagw/identity/tests/test_me_views.py | 6 ++++-- .../ui/components/identity-form/template.hbs | 17 ++++++++++++----- 3 files changed, 24 insertions(+), 7 deletions(-) diff --git a/api/mysagw/identity/serializers.py b/api/mysagw/identity/serializers.py index a36dcf8ac..133be17c5 100644 --- a/api/mysagw/identity/serializers.py +++ b/api/mysagw/identity/serializers.py @@ -309,6 +309,7 @@ class Meta: "first_name", "last_name", "salutation", + "title", "language", "is_organisation", "organisation_name", @@ -320,6 +321,13 @@ class Meta: ) extra_kwargs = { "idp_id": {"read_only": True}, + "email": {"read_only": True}, + "organisation_name": {"read_only": True}, + "first_name": {"read_only": True}, + "last_name": {"read_only": True}, + "salutation": {"read_only": True}, + "title": {"read_only": True}, + "language": {"read_only": True}, "is_organisation": {"read_only": True}, "is_expert_association": {"read_only": True}, "is_advisory_board": {"read_only": True}, diff --git a/api/mysagw/identity/tests/test_me_views.py b/api/mysagw/identity/tests/test_me_views.py index 1b9283482..d11c05139 100644 --- a/api/mysagw/identity/tests/test_me_views.py +++ b/api/mysagw/identity/tests/test_me_views.py @@ -96,9 +96,11 @@ def test_me_update(db, client): "authorized", [True, False], ) -def test_my_orgs_update(db, client, authorized, membership_factory): +def test_my_orgs_update_readonly(db, client, authorized, membership_factory): identity = client.user.identity membership = membership_factory(identity=identity, authorized=authorized) + membership.organisation.organisation_name = "Foo" + membership.organisation.save() url = reverse("my-orgs-detail", args=[str(membership.organisation.pk)]) @@ -106,7 +108,7 @@ def test_my_orgs_update(db, client, authorized, membership_factory): "data": { "type": "identities", "id": str(membership.organisation.pk), - "attributes": {"organisation-name": "Foo"}, + "attributes": {"organisation-name": "Bar"}, }, } diff --git a/ember/app/ui/components/identity-form/template.hbs b/ember/app/ui/components/identity-form/template.hbs index 81761b979..abeab05ce 100644 --- a/ember/app/ui/components/identity-form/template.hbs +++ b/ember/app/ui/components/identity-form/template.hbs @@ -59,10 +59,7 @@ {{/if}}
@@ -77,6 +74,7 @@ @disabled={{or (cannot "edit identity" this.changeset.data) @readOnlyView + @customEndpoint }} />
@@ -91,6 +89,7 @@ @disabled={{or (cannot "edit identity" this.changeset.data) @readOnlyView + @customEndpoint }} /> @@ -103,6 +102,7 @@ @disabled={{or (cannot "edit identity" this.changeset.data) @readOnlyView + @customEndpoint }} /> @@ -113,6 +113,7 @@ @disabled={{or (cannot "edit identity" this.changeset.data) @readOnlyView + @customEndpoint }} /> @@ -135,6 +136,7 @@ this.changeset.idpId (cannot "edit identity" this.changeset.data) @readOnlyView + @customEndpoint }} value={{field.value}} {{on "input" (fn this.eventTarget field.update)}} @@ -165,6 +167,7 @@ @disabled={{or (cannot "edit identity" this.changeset.data) @readOnlyView + @customEndpoint }} /> @@ -175,11 +178,15 @@ @disabled={{cannot "edit identity" this.changeset.data}} /> - {{else if (not @readOnlyView)}} + {{else if (not @readOnlyView @customEndpoint)}}