From 300ae1deb61f616cd9a9630e85db37d19d9a70cd Mon Sep 17 00:00:00 2001
From: Clemens Wolff <clewolff@microsoft.com>
Date: Fri, 30 Aug 2019 15:45:19 -0400
Subject: [PATCH] Fix 403 when project admin accesses edit pages

---
 app/api/permissions.py |  9 ++++++---
 app/server/views.py    | 16 ++++++++--------
 2 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/app/api/permissions.py b/app/api/permissions.py
index 64843259..b63e0d61 100644
--- a/app/api/permissions.py
+++ b/app/api/permissions.py
@@ -22,10 +22,13 @@ class IsAdminUserAndWriteOnly(BasePermission):
         return IsAdminUser().has_permission(request, view)
 
 
-class SuperUserMixin(UserPassesTestMixin):
-
+class ProjectAdminMixin(UserPassesTestMixin):
     def test_func(self):
-        return self.request.user.is_superuser
+        return self.request.user.is_superuser or is_in_role(
+            role_name=IsProjectAdmin.role_name,
+            user_id=self.request.user.id,
+            project_id=self.kwargs['project_id'],
+        )
 
 
 class IsOwnAnnotation(ProjectMixin, BasePermission):
diff --git a/app/server/views.py b/app/server/views.py
index e8be32ba..e1f431c7 100644
--- a/app/server/views.py
+++ b/app/server/views.py
@@ -8,7 +8,7 @@ from django.views.generic import TemplateView
 from django.views.generic.list import ListView
 from django.contrib.auth.mixins import LoginRequiredMixin
 
-from api.permissions import SuperUserMixin
+from api.permissions import ProjectAdminMixin
 from api.models import Project, RoleMapping
 from app import settings
 
@@ -38,7 +38,7 @@ class ProjectsView(LoginRequiredMixin, TemplateView):
     template_name = 'projects.html'
 
 
-class DatasetView(SuperUserMixin, LoginRequiredMixin, ListView):
+class DatasetView(ProjectAdminMixin, LoginRequiredMixin, ListView):
     template_name = 'dataset.html'
     paginate_by = 5
     extra_context = {
@@ -50,35 +50,35 @@ class DatasetView(SuperUserMixin, LoginRequiredMixin, ListView):
         return project.documents.all()
 
 
-class LabelView(SuperUserMixin, LoginRequiredMixin, TemplateView):
+class LabelView(ProjectAdminMixin, LoginRequiredMixin, TemplateView):
     template_name = 'admin.html'
     extra_context = {
         'bundle_name': 'label'
     }
 
 
-class StatsView(SuperUserMixin, LoginRequiredMixin, TemplateView):
+class StatsView(ProjectAdminMixin, LoginRequiredMixin, TemplateView):
     template_name = 'admin.html'
     extra_context = {
         'bundle_name': 'stats'
     }
 
 
-class GuidelineView(SuperUserMixin, LoginRequiredMixin, TemplateView):
+class GuidelineView(ProjectAdminMixin, LoginRequiredMixin, TemplateView):
     template_name = 'admin.html'
     extra_context = {
         'bundle_name': 'guideline'
     }
 
 
-class UsersView(SuperUserMixin, LoginRequiredMixin, TemplateView):
+class UsersView(ProjectAdminMixin, LoginRequiredMixin, TemplateView):
     template_name = 'admin.html'
     extra_context = {
         'bundle_name': 'users'
     }
 
 
-class DataUpload(SuperUserMixin, LoginRequiredMixin, TemplateView):
+class DataUpload(ProjectAdminMixin, LoginRequiredMixin, TemplateView):
     template_name = 'admin.html'
 
     def get_context_data(self, **kwargs):
@@ -88,7 +88,7 @@ class DataUpload(SuperUserMixin, LoginRequiredMixin, TemplateView):
         return context
 
 
-class DataDownload(SuperUserMixin, LoginRequiredMixin, TemplateView):
+class DataDownload(ProjectAdminMixin, LoginRequiredMixin, TemplateView):
     template_name = 'admin.html'
 
     def get_context_data(self, **kwargs):