Merge pull request #958 from opengisch/QF-3822-limit-project-edit-to-…

…admin Limit QGIS project modifications to managers and admins
opengisch · Jun 20, 2024 · 61288ce · 61288ce
2 parents 89d4622 + 0ea0f74
commit 61288ce
Show file tree

Hide file tree

Showing 6 changed files with 69 additions and 0 deletions.
diff --git a/docker-app/qfieldcloud/core/admin.py b/docker-app/qfieldcloud/core/admin.py
@@ -758,6 +758,7 @@ class ProjectAdmin(QFieldCloudModelAdmin):
         "status",
         "status_code",
         "project_filename",
+        "has_restricted_projectfiles",
         "file_storage_bytes",
         "storage_keep_versions",
         "packaging_offliner",

diff --git a/docker-app/qfieldcloud/core/exceptions.py b/docker-app/qfieldcloud/core/exceptions.py
@@ -133,6 +133,15 @@ class MultipleProjectsError(QFieldCloudException):
     status_code = status.HTTP_400_BAD_REQUEST
 
 
+class RestrictedProjectModificationError(QFieldCloudException):
+    """Raised when a user with insufficient role is trying to modify QGIS/QField projectfiles
+    of a project that has the 'has_restricted_projectfiles' flag set"""
+
+    code = "restricted_project_modification"
+    message = "Restricted project modification"
+    status_code = status.HTTP_400_BAD_REQUEST
+
+
 class DeltafileValidationError(QFieldCloudException):
     """Raised when a deltafile validation fails"""
 

diff --git a/docker-app/qfieldcloud/core/migrations/0076_project_restrict_project_modification.py b/docker-app/qfieldcloud/core/migrations/0076_project_restrict_project_modification.py
@@ -0,0 +1,20 @@
+# Generated by Django 3.2.25 on 2024-05-25 10:20
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("core", "0075_auto_20240323_1419"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="project",
+            name="has_restricted_projectfiles",
+            field=models.BooleanField(
+                default=False,
+                help_text="Restrict modifications of QGIS/QField projectfiles to managers and administrators.",
+            ),
+        ),
+    ]
diff --git a/docker-app/qfieldcloud/core/models.py b/docker-app/qfieldcloud/core/models.py
@@ -1016,6 +1016,14 @@ class Meta:
             "If enabled, QFieldCloud will automatically overwrite conflicts in this project. Disabling this will force the project manager to manually resolve all the conflicts."
         ),
     )
+
+    has_restricted_projectfiles = models.BooleanField(
+        default=False,
+        help_text=_(
+            "Restrict modifications of QGIS/QField projectfiles to managers and administrators."
+        ),
+    )
+
     thumbnail_uri = models.CharField(
         _("Thumbnail Picture URI"), max_length=255, blank=True
     )

diff --git a/docker-app/qfieldcloud/core/permissions_utils.py b/docker-app/qfieldcloud/core/permissions_utils.py
@@ -253,6 +253,29 @@ def can_create_files(user: QfcUser, project: Project) -> bool:
     )
 
 
+def can_modify_qgis_projectfile(user: QfcUser, project: Project) -> bool:
+    if project.has_restricted_projectfiles:
+        return user_has_project_roles(
+            user,
+            project,
+            [
+                ProjectCollaborator.Roles.ADMIN,
+                ProjectCollaborator.Roles.MANAGER,
+            ],
+        )
+    else:
+        return user_has_project_roles(
+            user,
+            project,
+            [
+                ProjectCollaborator.Roles.ADMIN,
+                ProjectCollaborator.Roles.MANAGER,
+                ProjectCollaborator.Roles.EDITOR,
+                ProjectCollaborator.Roles.REPORTER,
+            ],
+        )
+
+
 def can_read_projects(user: QfcUser, _account: QfcUser) -> bool:
     return user.is_authenticated
 

diff --git a/docker-app/qfieldcloud/core/views/files_views.py b/docker-app/qfieldcloud/core/views/files_views.py
@@ -261,6 +261,14 @@ def post(self, request, projectid, filename, format=None):
             project = Project.objects.get(id=projectid)
         is_qgis_project_file = utils.is_qgis_project_file(filename)
 
+        # check if the project restricts qgs/qgz file modification to admins
+        if is_qgis_project_file and not permissions_utils.can_modify_qgis_projectfile(
+            request.user, project
+        ):
+            raise exceptions.RestrictedProjectModificationError(
+                "The project restricts modification of the QGIS project file to managers and administrators."
+            )
+
         # check only one qgs/qgz file per project
         if (
             is_qgis_project_file