The superuser in the web interface now has the same permissions as other users

forms/ticket.py

@@ -9,10 +9,7 @@ class TicketForm(forms.ModelForm):
     def __init__(self, user, *args, **kwargs):
         super().__init__(*args, **kwargs)
 
-        group_ids = Group.objects.values_list("pk", flat=True)
-        if not user.is_superuser:
-            group_ids = group_ids.filter(user=user)
-            
+        group_ids = Group.objects.values_list("pk", flat=True).filter(user=user)
         ticket_lists = TicketList.objects.select_related("group").filter(group__in=group_ids)
 
         self.fields["assigned_to"].empty_label = "Anyone"

templates/tickets/ticket_detail.html

@@ -76,7 +76,7 @@
         <p class="my-3">No available statuses</p>
       {% endif %}
       
-      {% if user.is_staff or user.is_superuser or ticket.created_by == user %}
+      {% if ticket.created_by == user %}
         <div class="d-flex justify-content-between">
           <button type="button" data-bs-toggle="modal" data-bs-target="#ticket-edit-modal" class="btn btn-primary">
             <i class="fa-solid fa-pen-to-square pe-1"></i>
@@ -168,7 +168,7 @@
               <td>{{ attachment.timestamp }}</td>
               <td>{{ attachment.added_by.username }}</td>
               <td>
-                {% if user.is_staff or user.is_superuser or attachment.added_by == user or ticket.created_by == user %}
+                {% if attachment.added_by == user or ticket.created_by == user %}
                   <form action="{% url "tickets:remove_attachment" attachment.id %}" method="POST">
                     {% csrf_token %}
                     <button type="submit" class="btn btn-danger btn-sm">

utils.py

@@ -18,19 +18,19 @@ class SuperuserStaffRequiredMixin(UserPassesTestMixin):
 class UserCanReadTicketListMixin(UserPassesTestMixin):
     def test_func(self):
         ticket_list = get_object_or_404(TicketList.objects.select_related('group'), pk=self.kwargs.get('pk'))
-        return self.request.user.is_superuser or ticket_list.group in self.request.user.groups.all()
+        return ticket_list.group in self.request.user.groups.all()
 
 
 class UserCanReadTicketMixin(UserPassesTestMixin):
     def test_func(self):
         ticket = get_object_or_404(Ticket.objects.select_related('ticket_list', 'ticket_list__group'), pk=self.kwargs.get('pk'))
-        return self.request.user.is_superuser or ticket.ticket_list.group in self.request.user.groups.all() or ticket.assigned_to == self.request.user
+        return ticket.ticket_list.group in self.request.user.groups.all() or ticket.assigned_to == self.request.user
 
 
 class UserCanWriteTicketMixin(UserPassesTestMixin):
     def test_func(self):
         ticket = get_object_or_404(Ticket.objects.all(), pk=self.kwargs.get('pk'))
-        return self.request.user.is_superuser or self.request.user.is_staff or ticket.created_by == self.request.user
+        return ticket.created_by == self.request.user
 
 
 def remove_attachment_file(attachment_id: int) -> bool:

views/attachment_remove.py

@@ -13,17 +13,7 @@ def remove_attachment(request, attachment_id):
     if request.method == "POST":
         attachment = get_object_or_404(Attachment, pk=attachment_id)
 
-        # Permissions
-        is_admin_or_staff = request.user.is_superuser or request.user.is_staff
-        is_attachment_accessible = (
-            attachment.added_by == request.user or
-            attachment.ticket.created_by == request.user and (
-                attachment.ticket.assigned_to == request.user or
-                attachment.ticket.list.group in request.user.groups.all()
-            )
-        )
-
-        if not (is_admin_or_staff or is_attachment_accessible):
+        if not (attachment.added_by == request.user or attachment.ticket.created_by == request.user) and (attachment.ticket.list.group in request.user.groups.all()):
             raise PermissionDenied
 
         if remove_attachment_file(attachment.id):

views/delete.py

@@ -22,13 +22,13 @@ class BaseDeleteView(LoginRequiredMixin, View):
         return redirect(self.redirect_url)
 
 
-class TicketListDeleteView(BaseDeleteView, SuperuserStaffRequiredMixin, UserCanReadTicketListMixin):
+class TicketListDeleteView(BaseDeleteView, SuperuserStaffRequiredMixin):
     model = TicketList
     success_message = 'The "{0.name}" list has been successfully deleted from "{0.group.name}" group.'
     redirect_url = "tickets:ticket_list_list"
 
 
-class TicketDeleteView(BaseDeleteView, UserCanReadTicketMixin, UserCanWriteTicketMixin):
+class TicketDeleteView(BaseDeleteView, UserCanWriteTicketMixin):
     model = Ticket
     success_message = 'The "{0.title}" ticket has been successfully deleted from {0.ticket_list} > {0.ticket_list.group}.'
     redirect_url = "tickets:ticket_list_list"

views/search.py

@@ -15,12 +15,10 @@ def search(request):
         if ("search" in request.GET) and request.GET["search"].strip():
             query_string = request.GET["search"]
 
-            found_tickets = Ticket.objects.all()
-            if not request.user.is_superuser:
-                found_tickets = found_tickets.filter(
-                    Q(ticket_list__group__in=request.user.groups.all())
-                    | Q(assigned_to=request.user)
-                )
+            found_tickets = Ticket.objects.filter(
+                Q(ticket_list__group__in=request.user.groups.all())
+                | Q(assigned_to=request.user)
+            )
             
             found_tickets = found_tickets.annotate(created_by_username=F("created_by__username"))
             found_tickets = found_tickets.annotate(assigned_to_username=F("assigned_to__username"))

views/ticket_list_detail.py

@@ -19,7 +19,7 @@ def ticket_list_detail(request, pk=None, my_tickets=False, assignments=False):
         tickets = Ticket.objects.filter(created_by=request.user)
     else:
         ticket_list = get_object_or_404(TicketList.objects.select_related('group'), id=pk)
-        if ticket_list.group not in request.user.groups.all() and not request.user.is_superuser:
+        if ticket_list.group not in request.user.groups.all():
             raise PermissionDenied
 
         tickets = Ticket.objects.filter(ticket_list=ticket_list)

views/ticket_list_list.py

@@ -16,13 +16,12 @@ class TicketListView(LoginRequiredMixin, ListView):
         user = self.request.user
         user_groups_ids = user.groups.all().values_list("pk", flat=True)
         ticket_lists  = TicketList.objects.select_related("group").order_by("group__name", "name")
-        
-        if not user.is_superuser:
-            if user_groups_ids:
-                ticket_lists = ticket_lists.filter(group__id__in=user_groups_ids)
-            else:
-                messages.warning(self.request, "You do not yet belong to any groups. Ask your administrator to add you to one.")
-                ticket_lists = TicketList.objects.none()
+    
+        if user_groups_ids:
+            ticket_lists = ticket_lists.filter(group__id__in=user_groups_ids)
+        else:
+            messages.warning(self.request, "You do not yet belong to any groups. Ask your administrator to add you to one.")
+            ticket_lists = TicketList.objects.none()
 
         return ticket_lists