From b80e4302baffe5cc79aedca35aaf85cc5ef61eff Mon Sep 17 00:00:00 2001
From: Oliver Walters <oliver.henry.walters@gmail.com>
Date: Tue, 6 Oct 2020 20:29:16 +1100
Subject: [PATCH] Update permissions for build app

---
 .../build/templates/build/build_base.html     | 12 ++---
 InvenTree/build/tests.py                      | 45 ++++++++++++++++++-
 InvenTree/build/views.py                      | 18 +++++++-
 3 files changed, 67 insertions(+), 8 deletions(-)

diff --git a/InvenTree/build/templates/build/build_base.html b/InvenTree/build/templates/build/build_base.html
index ed3da576d5..f076013def 100644
--- a/InvenTree/build/templates/build/build_base.html
+++ b/InvenTree/build/templates/build/build_base.html
@@ -41,19 +41,21 @@ src="{% static 'img/blank_image.png' %}"
 </h4>
 <div class='btn-row'>
     <div class='btn-group action-buttons'>
-        <button type='button' class='btn btn-default' id='build-edit' title='Edit Build'>
+        {% if roles.build.change %}
+        <button type='button' class='btn btn-default' id='build-edit' title='{% trans "Edit Build" %}'>
             <span class='fas fa-edit icon-green'/>
         </button>
         {% if build.is_active %}
-        <button type='button' class='btn btn-default' id='build-complete' title="Complete Build">
+        <button type='button' class='btn btn-default' id='build-complete' title='{% trans "Complete Build" %}'>
             <span class='fas fa-tools'/>
         </button>
-        <button type='button' class='btn btn-default btn-glyph' id='build-cancel' title='Cancel Build'>
+        <button type='button' class='btn btn-default btn-glyph' id='build-cancel' title='{% trans "Cancel Build" %}'>
             <span class='fas fa-times-circle icon-red'/>
         </button>
         {% endif %}
-        {% if build.status == BuildStatus.CANCELLED %}
-        <button type='button' class='btn btn-default btn-glyph' id='build-delete' title='Delete Build'>
+        {% endif %}
+        {% if build.status == BuildStatus.CANCELLED and roles.build.delete %}
+        <button type='button' class='btn btn-default btn-glyph' id='build-delete' title='{% trans "Delete Build" %}'>
             <span class='fas fa-trash-alt icon-red'/>
         </button>
         {% endif %}
diff --git a/InvenTree/build/tests.py b/InvenTree/build/tests.py
index 9b6d51c33a..92ca034a4a 100644
--- a/InvenTree/build/tests.py
+++ b/InvenTree/build/tests.py
@@ -4,6 +4,7 @@ from __future__ import unicode_literals
 from django.test import TestCase
 from django.urls import reverse
 from django.contrib.auth import get_user_model
+from django.contrib.auth.models import Group
 
 from rest_framework.test import APITestCase
 from rest_framework import status
@@ -30,6 +31,20 @@ class BuildTestSimple(TestCase):
         User.objects.create_user('testuser', 'test@testing.com', 'password')
 
         self.user = User.objects.get(username='testuser')
+
+        g = Group.objects.create(name='builders')
+        self.user.groups.add(g)
+
+        for rule in g.rule_sets.all():
+            if rule.name == 'build':
+                rule.can_change = True
+                rule.can_add = True
+                rule.can_delete = True
+
+                rule.save()
+
+        g.save()
+
         self.client.login(username='testuser', password='password')
 
     def test_build_objects(self):
@@ -94,7 +109,20 @@ class TestBuildAPI(APITestCase):
     def setUp(self):
         # Create a user for auth
         User = get_user_model()
-        User.objects.create_user('testuser', 'test@testing.com', 'password')
+        user = User.objects.create_user('testuser', 'test@testing.com', 'password')
+
+        g = Group.objects.create(name='builders')
+        user.groups.add(g)
+
+        for rule in g.rule_sets.all():
+            if rule.name == 'build':
+                rule.can_change = True
+                rule.can_add = True
+                rule.can_delete = True
+
+                rule.save()
+
+        g.save()
 
         self.client.login(username='testuser', password='password')
 
@@ -131,7 +159,20 @@ class TestBuildViews(TestCase):
 
         # Create a user
         User = get_user_model()
-        User.objects.create_user('username', 'user@email.com', 'password')
+        user = User.objects.create_user('username', 'user@email.com', 'password')
+
+        g = Group.objects.create(name='builders')
+        user.groups.add(g)
+
+        for rule in g.rule_sets.all():
+            if rule.name == 'build':
+                rule.can_change = True
+                rule.can_add = True
+                rule.can_delete = True
+
+                rule.save()
+
+        g.save()
 
         self.client.login(username='username', password='password')
 
diff --git a/InvenTree/build/views.py b/InvenTree/build/views.py
index 88dc66085f..b2b8b24502 100644
--- a/InvenTree/build/views.py
+++ b/InvenTree/build/views.py
@@ -17,16 +17,18 @@ from . import forms
 from stock.models import StockLocation, StockItem
 
 from InvenTree.views import AjaxUpdateView, AjaxCreateView, AjaxDeleteView
+from InvenTree.views import InvenTreeRoleMixin
 from InvenTree.helpers import str2bool, ExtractSerialNumbers
 from InvenTree.status_codes import BuildStatus
 
 
-class BuildIndex(ListView):
+class BuildIndex(InvenTreeRoleMixin, ListView):
     """ View for displaying list of Builds
     """
     model = Build
     template_name = 'build/index.html'
     context_object_name = 'builds'
+    role_required = 'build.view'
 
     def get_queryset(self):
         """ Return all Build objects (order by date, newest first) """
@@ -56,6 +58,7 @@ class BuildCancel(AjaxUpdateView):
     ajax_form_title = _('Cancel Build')
     context_object_name = 'build'
     form_class = forms.CancelBuildForm
+    role_required = 'build.change'
 
     def post(self, request, *args, **kwargs):
         """ Handle POST request. Mark the build status as CANCELLED """
@@ -94,6 +97,7 @@ class BuildAutoAllocate(AjaxUpdateView):
     context_object_name = 'build'
     ajax_form_title = _('Allocate Stock')
     ajax_template_name = 'build/auto_allocate.html'
+    role_required = 'build.change'
 
     def get_context_data(self, *args, **kwargs):
         """ Get the context data for form rendering. """
@@ -147,6 +151,7 @@ class BuildUnallocate(AjaxUpdateView):
     form_class = forms.ConfirmBuildForm
     ajax_form_title = _("Unallocate Stock")
     ajax_template_name = "build/unallocate.html"
+    form_required = 'build.change'
 
     def post(self, request, *args, **kwargs):
 
@@ -184,6 +189,7 @@ class BuildComplete(AjaxUpdateView):
     context_object_name = "build"
     ajax_form_title = _("Complete Build")
     ajax_template_name = "build/complete.html"
+    role_required = 'build.change'
 
     def get_form(self):
         """ Get the form object.
@@ -325,6 +331,7 @@ class BuildNotes(UpdateView):
     context_object_name = 'build'
     template_name = 'build/notes.html'
     model = Build
+    role_required = 'build.view'
 
     fields = ['notes']
 
@@ -342,9 +349,11 @@ class BuildNotes(UpdateView):
 
 class BuildDetail(DetailView):
     """ Detail view of a single Build object. """
+
     model = Build
     template_name = 'build/detail.html'
     context_object_name = 'build'
+    role_required = 'build.view'
 
     def get_context_data(self, **kwargs):
 
@@ -363,6 +372,7 @@ class BuildAllocate(DetailView):
     model = Build
     context_object_name = 'build'
     template_name = 'build/allocate.html'
+    role_required = ['build.change']
 
     def get_context_data(self, **kwargs):
         """ Provide extra context information for the Build allocation page """
@@ -392,6 +402,7 @@ class BuildCreate(AjaxCreateView):
     form_class = forms.EditBuildForm
     ajax_form_title = _('Start new Build')
     ajax_template_name = 'modal_form.html'
+    role_required = 'build.add'
 
     def get_initial(self):
         """ Get initial parameters for Build creation.
@@ -427,6 +438,7 @@ class BuildUpdate(AjaxUpdateView):
     context_object_name = 'build'
     ajax_form_title = _('Edit Build Details')
     ajax_template_name = 'modal_form.html'
+    role_required = 'build.change'
 
     def get_data(self):
         return {
@@ -440,6 +452,7 @@ class BuildDelete(AjaxDeleteView):
     model = Build
     ajax_template_name = 'build/delete_build.html'
     ajax_form_title = _('Delete Build')
+    role_required = 'build.delete'
 
 
 class BuildItemDelete(AjaxDeleteView):
@@ -451,6 +464,7 @@ class BuildItemDelete(AjaxDeleteView):
     ajax_template_name = 'build/delete_build_item.html'
     ajax_form_title = _('Unallocate Stock')
     context_object_name = 'item'
+    role_required = 'build.delete'
 
     def get_data(self):
         return {
@@ -465,6 +479,7 @@ class BuildItemCreate(AjaxCreateView):
     form_class = forms.EditBuildItemForm
     ajax_template_name = 'build/create_build_item.html'
     ajax_form_title = _('Allocate new Part')
+    role_required = 'build.add'
 
     part = None
     available_stock = None
@@ -618,6 +633,7 @@ class BuildItemEdit(AjaxUpdateView):
     ajax_template_name = 'modal_form.html'
     form_class = forms.EditBuildItemForm
     ajax_form_title = _('Edit Stock Allocation')
+    role_required = 'build.change'
 
     def get_data(self):
         return {