:date: 2017-09-03

=========================
Sunday, September 3, 2017
=========================

Custom permissions for the detail action (continued)
====================================================

We now have a new method :meth:`lino.core.actions.Action.get_label`.
This caused also a few code changes in the renderer of :ref:`extjs6`.

This change was needed because
:meth:`lino.core.actors.Actor._collect_actions` now attaches also the
library actions, which caused the `label` property of the actors of
these to be read already during startup for these actions as
well. This caused a problem for actors with a dynamic label because
they do a database lookup (e.g. :mod:`lino_book.projects.actors`; en
passant I converted the :file:`index.rst` file of that demo project to
:ref:`specs.projects.actors`).  Oh yes, this is historically grown and
poorly documented code.

Another question was: Can teachers (in :ref:`avanti`) confirm an
enrolment?  This is what changed with the new feature, and it made the
Avanti test suite fail.  Laura should not have permission to confirm
that enrolment because the author is another user (nathalie) and Laura
is just a teacher.

>>> from lino import startup
>>> startup('lino_book.projects.adg.settings.demo')
>>> from lino.api.doctest import *
>>> ar = rt.login('laura')
>>> user_type = ar.get_user().user_type
>>> user_type
<users.UserTypes.teacher:100>
>>> user_type.role
... #doctest: +ELLIPSIS
<lino_avanti.lib.avanti.user_types.Teacher object at ...>

>>> obj = rt.models.courses.Enrolment.objects.get(pk=9)
>>> obj.user
User #5 ('nathalie')

>>> obj.wf1.get_row_permission(ar)
True

>>> ba = obj.wf1.bound_action
>>> ba.actor.get_row_state(obj)
<EnrolmentStates.requested:10>

>>> ba.actor
lino_xl.lib.courses.desktop.Enrolments

>>> ba.actor.get_row_permission(obj, ar, obj.state, ba)
True

>>> obj.get_row_permission(ar, obj.state, ba)
True

>>> obj.manager_roles_required
set([<class 'lino.core.roles.SiteUser'>])

Okay now I see. It's because I added the :class:`SiteUser
<lino.core.roles.SiteUser>` role to the :class:`Teacher
<lino_avanti.lib.avanti.user_types.Teacher>` user type. And that was
correct: teachers are site users.

The :attr:`manager_roles_required` attribute on Enrolment is not
:class:`SiteStaff but :class:`SiteUser`. It is defined as::

    manager_roles_required = dd.login_required()

So it is "normal" that every site user can edit the state of
enrolments made by other users. It was rather a bug that in Avanti
this was not allowed because :class:`Teacher
<lino_avanti.lib.avanti.user_types.Teacher>` (by mistake) was lacking
the :class:`SiteUser` role.