Added new conditions for removing attachments

templates/tickets/ticket_detail.html

@@ -166,14 +166,16 @@
             <tr>
               <td><a href="{{ attachment.file.url }}">{{ attachment.filename }}</a></td>
               <td>{{ attachment.timestamp }}</td>
-              <td>{{ attachment.added_by_username }}</td>
+              <td>{{ attachment.added_by.username }}</td>
               <td>
-                <form action="{% url "tickets:remove_attachment" attachment.id %}" method="POST">
-                  {% csrf_token %}
-                  <button type="submit" class="btn btn-danger btn-sm">
-                    <i class="fa-solid fa-xmark"></i>
-                  </button>
-                </form>
+                {% if user.is_staff or user.is_superuser or attachment.added_by == user or ticket.created_by == user %}
+                  <form action="{% url "tickets:remove_attachment" attachment.id %}" method="POST">
+                    {% csrf_token %}
+                    <button type="submit" class="btn btn-danger btn-sm">
+                      <i class="fa-solid fa-xmark"></i>
+                    </button>
+                  </form>
+                {% endif %}
               </td>
             </tr>
           {% endfor %}

utils.py

@@ -24,7 +24,7 @@ class UserCanReadTicketListMixin(UserPassesTestMixin):
 class UserCanReadTicketMixin(UserPassesTestMixin):
     def test_func(self):
         ticket = get_object_or_404(Ticket.objects.select_related('ticket_list', 'ticket_list__group'), pk=self.kwargs.get('pk'))
-        return self.request.user.is_superuser or ticket.ticket_list.group in self.request.user.groups.all()
+        return self.request.user.is_superuser or ticket.ticket_list.group in self.request.user.groups.all() or ticket.assigned_to == self.request.user
 
 
 def remove_attachment_file(attachment_id: int) -> bool:

views/attachment_remove.py

@@ -14,7 +14,16 @@ def remove_attachment(request, attachment_id):
         attachment = get_object_or_404(Attachment, pk=attachment_id)
 
         # Permissions
-        if not (attachment.ticket.ticket_list.group in request.user.groups.all()or request.user.is_superuser):
+        is_admin_or_staff = request.user.is_superuser or request.user.is_staff
+        is_attachment_accessible = (
+            attachment.added_by == request.user or
+            attachment.ticket.created_by == request.user and (
+                attachment.ticket.assigned_to == request.user or
+                attachment.ticket.list.group in request.user.groups.all()
+            )
+        )
+
+        if not (is_admin_or_staff or is_attachment_accessible):
             raise PermissionDenied
 
         if remove_attachment_file(attachment.id):

views/ticket_detail.py

@@ -28,9 +28,7 @@ class TicketDetailView(LoginRequiredMixin, UserCanReadTicketMixin, DetailView):
         context['comment_list'] = Comment.objects.filter(ticket=self.object.pk).order_by("-date").annotate(
             author_username=F("author__username"), author_email=F("author__email")
         )
-        context['attachments'] = Attachment.objects.filter(ticket=self.object.pk).annotate(
-            added_by_username=F("added_by__username")
-        )
+        context['attachments'] = Attachment.objects.filter(ticket=self.object.pk).select_related("added_by")
         context['available_statuses'] = self.object.get_available_statuses()
         return context