Merge remote-tracking branch 'origin/master'

weblate/html/project.html

@@ -16,6 +16,7 @@
 
 {% can_see_repository_status user object as user_can_see_repository_status %}
 {% can_commit_translation user object as user_can_commit_translation %}
+{% can_manage_acl user object as user_can_manage_acl %}
 
 <ul class="nav nav-pills">
   <li class="active"><a href="#overview" data-toggle="tab">{% trans "Overview" %}</a></li>
@@ -35,7 +36,7 @@
       {% endif %}
       <li><a href="{% url 'checks' %}?project={{ object.slug }}">{% trans "Failing checks" %}</a></li>
       <li><a href="{% url 'checks' %}?project={{ object.slug }}&amp;ignored=true">{% trans "Ignored checks" %}</a></li>
-      {% if perms.trans.manage_acl and object.enable_acl %}
+      {% if user_can_manage_acl %}
       <li><a href="#acl" data-toggle="tab">{% trans "Manage users" %}</a></li>
       {% endif %}
     </ul>
@@ -145,7 +146,7 @@
 </div>
 {% endif %}
 
-{% if perms.trans.manage_acl and object.enable_acl %}
+{% if user_can_manage_acl %}
 <div class="tab-pane" id="acl">
 <div class="container-fluid">
 <div class="row">

weblate/trans/permissions.py

@@ -232,7 +232,7 @@ def can_edit_priority(user, project):
 @cache_permission
 def can_ignore_check(user, project):
     """
-    Checks whether user can edit translation priority.
+    Checks whether user can ignore check.
     """
     return check_permission(user, project, 'trans.ignore_check')
 
@@ -240,6 +240,17 @@ def can_ignore_check(user, project):
 @cache_permission
 def can_delete_comment(user, project):
     """
-    Checks whether user can edit translation priority.
+    Checks whether user can delete comment on given project.
     """
     return check_permission(user, project, 'trans.delete_comment')
+
+
+@cache_permission
+def can_manage_acl(user, project):
+    """
+    Checks whether user can manage ACL on given project.
+    """
+    if not project.enable_acl:
+        return False
+
+    return check_permission(user, project, 'trans.manage_acl')

weblate/trans/templatetags/permissions.py

@@ -111,3 +111,8 @@ def can_ignore_check(user, project):
 @register.assignment_tag
 def can_delete_comment(user, project):
     return weblate.trans.permissions.can_delete_comment(user, project)
+
+
+@register.assignment_tag
+def can_manage_acl(user, project):
+    return weblate.trans.permissions.can_manage_acl(user, project)

weblate/trans/views/acl.py

@@ -19,27 +19,30 @@
 #
 
 from django.utils.translation import ugettext as _
-from django.contrib.auth.decorators import permission_required
+from django.contrib.auth.decorators import login_required
 from django.db.models import Q
 from django.contrib.auth.models import User
 from django.contrib import messages
 from django.views.decorators.http import require_POST
+from django.core.exceptions import PermissionDenied
 
 from weblate.trans.util import redirect_param
 from weblate.trans.forms import AddUserForm
 from weblate.trans.views.helper import get_project
+from weblate.trans.permissions import can_manage_acl
 
 
 @require_POST
-@permission_required('trans.manage_acl')
+@login_required
 def add_user(request, project):
     obj = get_project(request, project)
 
+    if not can_manage_acl(request.user, obj):
+        raise PermissionDenied()
+
     form = AddUserForm(request.POST)
 
-    if not obj.enable_acl:
-        messages.error(request, _('ACL not enabled for this project!'))
-    elif form.is_valid():
+    if form.is_valid():
         try:
             user = User.objects.get(
                 Q(username=form.cleaned_data['name']) |
@@ -64,10 +67,13 @@ def add_user(request, project):
 
 
 @require_POST
-@permission_required('trans.manage_acl')
+@login_required
 def delete_user(request, project):
     obj = get_project(request, project)
 
+    if not can_manage_acl(request.user, obj):
+        raise PermissionDenied()
+
     form = AddUserForm(request.POST)
 
     if form.is_valid():