From 34eabe6af7bc73541845208100b554e445c9a893 Mon Sep 17 00:00:00 2001
From: Emanuele <ema.trabattoni@gmail.com>
Date: Tue, 18 Nov 2025 16:34:50 +0100
Subject: [PATCH] Fixed permission on add, change, delete based on week number
 for students

---
 techdb/flightslot/admin.py | 104 ++++++++++++++++++++++++++++++++-----
 1 file changed, 91 insertions(+), 13 deletions(-)

diff --git a/techdb/flightslot/admin.py b/techdb/flightslot/admin.py
index b9a5f51..47dc88f 100644
--- a/techdb/flightslot/admin.py
+++ b/techdb/flightslot/admin.py
@@ -42,6 +42,17 @@ class HourBuildingLegInline(nested_admin.NestedTabularInline):
     fk_name = 'hb'
     max_num = 5
 
+    # If user is a student deny edit permission for week past the current one
+    def has_change_permission(self, request: HttpRequest, obj: HourBuilding | None = None):
+        if hasattr(request.user, 'student') and obj:
+            current_week = date.today().isocalendar().week
+            if not obj.DoesNotExist and current_week > obj.weekpref.week:
+                return False
+        return True
+    
+    def has_delete_permission(self, request: HttpRequest, obj: HourBuilding | None = None):
+        return self.has_change_permission(request=request, obj=obj)
+
 class HourBuildingInLine(nested_admin.NestedTabularInline):
     model = HourBuilding
     extra = 0
@@ -50,6 +61,17 @@ class HourBuildingInLine(nested_admin.NestedTabularInline):
     verbose_name_plural = "Hour Building"
     max_num = 7
 
+    # If user is a student deny edit permission for week past the current one
+    def has_change_permission(self, request: HttpRequest, obj: WeekPreference | None = None):
+        if hasattr(request.user, 'student') and obj:
+            current_week = date.today().isocalendar().week
+            if current_week > obj.week:
+                return False
+        return True
+    
+    def has_delete_permission(self, request: HttpRequest, obj: WeekPreference | None = None):
+        return self.has_change_permission(request=request, obj=obj)
+
 class TrainingInLIne(nested_admin.NestedTabularInline):
     model = Training
     form = TrainingForm
@@ -57,10 +79,21 @@ class TrainingInLIne(nested_admin.NestedTabularInline):
     fk_name = 'weekpref'
     verbose_name_plural = "Training Missions"
     max_num = 7
+
+    # If user is a student deny edit permission for week past the current one
+    def has_change_permission(self, request: HttpRequest, obj: WeekPreference | None = None):
+        if hasattr(request.user, 'student') and obj:
+            current_week = date.today().isocalendar().week
+            if current_week > obj.week:
+                return False
+        return True
+    
+    def has_delete_permission(self, request: HttpRequest, obj: WeekPreference | None = None):
+        return self.has_change_permission(request=request, obj=obj)
     
 class WeekPreferenceAdmin(nested_admin.NestedModelAdmin):
     inlines = (TrainingInLIne, HourBuildingInLine,)
-    list_display = ("week", "student__name", "student__surname", "student__course", "course_color", "student_brief_mix",)
+    list_display = ("week", "student__surname","student__name", "student__course", "course_color", "student_brief_mix",)
     list_filter = ("week", "student__course", "student",)
     actions = ("export",)
 
@@ -82,15 +115,24 @@ class WeekPreferenceAdmin(nested_admin.NestedModelAdmin):
         if not obj.student.course:
             return SafeText("")
         return course_color(obj.student.course.color)
-
-    def has_module_permission(self, request):
+    
+    # If a user is registered as student hide filters
+    def get_list_filter(self, request):
+        list_filter = super().get_list_filter(request)
         if hasattr(request.user, 'student'):
-            return False
-        return True
+            return []
+        return list_filter
+    
+    # If a user is registered as student do not show actions
+    def get_actions(self, request):
+        actions = super().get_actions(request)
+        if hasattr(request.user, 'student'):
+            return []
+        return actions
 
+    # If a user is registered as student show only their preferences
     def get_queryset(self, request):
         qs = super().get_queryset(request)
-        # If a user is registered as student show only their preferences
         if hasattr(request.user, 'student'):
             return qs.filter(student=request.user.student)
         # If admin show everything
@@ -98,6 +140,12 @@ class WeekPreferenceAdmin(nested_admin.NestedModelAdmin):
 
     def get_form(self, request, obj=None, **kwargs):
         form: forms.Form = super().get_form(request, obj, **kwargs)
+        current_week = date.today().isocalendar().week
+
+        # If form contains the week field
+        if 'week' in form.base_fields:
+            # Set default value as current week
+            form.base_fields['week'].initial = current_week
 
         # If student is current user making request
         if hasattr(request.user, 'student'):
@@ -105,15 +153,45 @@ class WeekPreferenceAdmin(nested_admin.NestedModelAdmin):
             if 'student' in form.base_fields:
                 form.base_fields['student'].initial = student
                 form.base_fields['student'].disabled = True
-                form.base_fields['week'].disabled = True
-
-        # If form contains the week field
-        if 'week' in form.base_fields:
-            # Set default value as current week
-            current_week = date.today().isocalendar().week
-            form.base_fields['week'].initial = current_week
+                form.base_fields['week'].disabled = True # student cannot change week 
         return form
     
+    # If user is a student deny edit permission for week past the current one
+    def has_change_permission(self, request, obj: WeekPreference | None = None):
+        if hasattr(request.user, 'student') and obj:
+            current_week = date.today().isocalendar().week
+            if current_week > obj.week:
+                return False
+        return True
+    
+    # If user is a student deny edit permission for week past the current one
+    def has_add_permission(self, request, obj: WeekPreference | None = None):
+        if hasattr(request.user, 'student') and obj:
+            current_week = date.today().isocalendar().week
+            if current_week > obj.week:
+                return False
+        return True
+    
+    # If user is a student deny edit permission for week past the current one
+    def has_delete_permission(self, request, obj: WeekPreference | None = None):
+        if hasattr(request.user, 'student') and obj:
+            current_week = date.today().isocalendar().week
+            if current_week > obj.week:
+                return False
+        return True
+    
+    def changeform_view(self, request: HttpRequest, object_id: int | None = None, form_url: str = '', extra_context=None):
+        extra_context = extra_context or {}
+        if hasattr(request.user, 'student') and object_id:
+            current_week = date.today().isocalendar().week
+            weekpref = WeekPreference.objects.get(id=object_id)
+            if current_week > weekpref.week:
+                extra_context['show_save'] = False
+                extra_context['show_save_and_continue'] = False
+                extra_context['show_save_and_add_another'] = False
+                extra_context['show_delete'] = False
+        return super().changeform_view(request, object_id, form_url, extra_context)
+    
     def save_model(self, request, obj, form, change):
         # Imposta automaticamente lo studente se non è già valorizzato
         if hasattr(request.user, 'student') and not obj.student_id: