From b1a0d7e64313398dee1d1a10752aad406c52d422 Mon Sep 17 00:00:00 2001
From: Ryan Trinh <ryantrinh05@berkeley.edu>
Date: Sat, 7 Jun 2025 00:45:12 -0700
Subject: [PATCH 1/2] Added committee-based permissions

---
 hknweb/settings/common.py                     | 24 +++++++++++-
 hknweb/studentservices/views.py               |  5 ++-
 hknweb/templates/about/people.html            | 30 ++++++++-------
 hknweb/templates/committees.html              | 13 ++++---
 .../studentservices/course_description.html   |  2 +-
 hknweb/tutoring/views/courses.py              |  5 ++-
 hknweb/tutoring/views/tutoringportal.py       |  5 ++-
 hknweb/utils.py                               | 20 ++++++++++
 hknweb/views/people.py                        | 14 +++++--
 hknweb/views/users.py                         | 37 ++++++++++++++-----
 10 files changed, 114 insertions(+), 41 deletions(-)

diff --git a/hknweb/settings/common.py b/hknweb/settings/common.py
index ac01a86a..9d2e813b 100644
--- a/hknweb/settings/common.py
+++ b/hknweb/settings/common.py
@@ -15,6 +15,8 @@
 
 from hknweb.utils import DATETIME_12_HOUR_FORMAT
 
+from enum import Enum
+
 # Build paths inside the project like this: os.path.join(BASE_DIR, ...)
 BASE_DIR = os.path.dirname(os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
 
@@ -179,7 +181,27 @@
 CAND_GROUP = "candidate"
 OFFICER_GROUP = "officer"
 EXEC_GROUP = "exec"
-
+MEMBER_GROUP = "member"
+
+# committee groups
+ACT_GROUP = "act"
+BRIDGE_GROUP = "bridge"
+COMPSEV_GROUP = "compserv"
+DECAL_GROUP = "decal"
+INDREL_GROUP = "indrel"
+PRODEV_GROUP = "prodev"
+SERV_GROUP = "serv"
+STUDREL_GROUP = "studrel"
+TUTORING_GROUP = "tutoring"
+
+# exec groups
+CSEC_GROUP = "csec"
+PRES_GROUP = "pres"
+RSEC_GROUP = "rsec"
+TRES_GROUP = "tres"
+IVP_GROUP = "ivp"
+EVP_GROUP = "evp"
+DEPREL_GROUP = "deprel"
 
 # Note: both candidate and officer group should have permission to add officer challenges
 
diff --git a/hknweb/studentservices/views.py b/hknweb/studentservices/views.py
index c5ce4b9b..8dba1ac0 100644
--- a/hknweb/studentservices/views.py
+++ b/hknweb/studentservices/views.py
@@ -13,6 +13,7 @@
     allow_public_access,
     login_and_access_level,
     GROUP_TO_ACCESSLEVEL,
+    login_and_committee,
 )
 from hknweb.studentservices.models import (
     CourseGuideNode,
@@ -192,7 +193,7 @@ def course_description(request, slug):
     return render(request, "studentservices/course_description.html", context=context)
 
 
-@login_and_access_level(GROUP_TO_ACCESSLEVEL["officer"])
+@login_and_committee(settings.TUTORING_GROUP)
 def edit_description(request, slug):
     course = get_object_or_404(CourseDescription, slug=slug)
     if request.method == "GET":
@@ -211,7 +212,7 @@ def edit_description(request, slug):
     return render(request, "studentservices/course_edit.html", context=context)
 
 
-@login_and_access_level(GROUP_TO_ACCESSLEVEL["officer"])
+@login_and_committee(settings.TUTORING_GROUP)
 def delete_description(request, slug):
     course = get_object_or_404(CourseDescription, slug=slug)
 
diff --git a/hknweb/templates/about/people.html b/hknweb/templates/about/people.html
index 6ba5a987..e0c3f978 100644
--- a/hknweb/templates/about/people.html
+++ b/hknweb/templates/about/people.html
@@ -17,22 +17,24 @@
     }
 </style>
 <script>
-    function toggle_edit(button) {
-        button.disabled = true;
+    {% if viewer_in_bridge %}
+        function toggle_edit(button) {
+            button.disabled = true;
 
-        const urlParams = new URLSearchParams(window.location.search);
-        if (urlParams.has("edit")) {
-            urlParams.delete("edit");
-        } else {
-            urlParams.set("edit", "true");
-        }
+            const urlParams = new URLSearchParams(window.location.search);
+            if (urlParams.has("edit")) {
+                urlParams.delete("edit");
+            } else {
+                urlParams.set("edit", "true");
+            }
 
-        if (history.pushState) {
-            var newurl = window.location.origin + window.location.pathname + "?" + urlParams.toString();
-            window.history.replaceState({path: newurl}, "", newurl);
-            window.location = window.location;
+            if (history.pushState) {
+                var newurl = window.location.origin + window.location.pathname + "?" + urlParams.toString();
+                window.history.replaceState({path: newurl}, "", newurl);
+                window.location = window.location;
+            }
         }
-    }
+    {% endif %}
 </script>
 
 <script async src="//embedr.flickr.com/assets/client-code.js" charset="utf-8"></script>
@@ -53,7 +55,7 @@
 {% block content %}
     <div style="text-align: center; overflow: auto;">
         <!-- Edit button -->
-        {% if is_officer %}
+        {% if viewer_in_bridge %}
             <button
                 onclick="toggle_edit(this)"
                 style="border-radius: 0.3em; border-width: 0.02em;"
diff --git a/hknweb/templates/committees.html b/hknweb/templates/committees.html
index 7e9b5f2a..b1e926e3 100644
--- a/hknweb/templates/committees.html
+++ b/hknweb/templates/committees.html
@@ -7,12 +7,13 @@
 
 
 {% block "portal-content" %}
-
-<a href="{% url 'tutoring:tutoring_portal' %}"> 
-    <div class="portal-content">
-        <h2>Tutoring</h2>
-    </div> 
-</a>
+{% if viewer_in_tutoring %}
+    <a href="{% url 'tutoring:tutoring_portal' %}"> 
+        <div class="portal-content">
+            <h2>Tutoring</h2>
+        </div> 
+    </a>
+{% endif %}
 
 <a href="{% url 'login' %}?next={{ request.path|urlencode }}">
     <div class="portal-content">
diff --git a/hknweb/templates/studentservices/course_description.html b/hknweb/templates/studentservices/course_description.html
index 0161d2d1..c4a6f439 100644
--- a/hknweb/templates/studentservices/course_description.html
+++ b/hknweb/templates/studentservices/course_description.html
@@ -16,7 +16,7 @@
             <!-- Title -->
             <div class="course-title-section">
                 <h2 class="course-title">{{ course.title|default:"Course Title" }}</h2>
-                {% if viewer_is_an_officer %}
+                {% if viewer_in_tutoring %}
                     <p> Last Updated: {{ course.updated_at }} </p>
                     <a href="{{ request.path }}edit"> Edit Page </a>
                 {% endif %}
diff --git a/hknweb/tutoring/views/courses.py b/hknweb/tutoring/views/courses.py
index e60b7c80..2857ca32 100644
--- a/hknweb/tutoring/views/courses.py
+++ b/hknweb/tutoring/views/courses.py
@@ -1,10 +1,11 @@
 from django.shortcuts import render
-from hknweb.utils import login_and_access_level, GROUP_TO_ACCESSLEVEL
+from hknweb.utils import login_and_committee
 from hknweb.studentservices.models import CourseDescription
 from hknweb.tutoring.forms import AddCourseForm
+from django.conf import settings
 
 
-@login_and_access_level(GROUP_TO_ACCESSLEVEL["officer"])
+@login_and_committee(settings.TUTORING_GROUP)
 def courses(request):
     if request.method == "POST":
         new_course = AddCourseForm(request.POST)
diff --git a/hknweb/tutoring/views/tutoringportal.py b/hknweb/tutoring/views/tutoringportal.py
index ea8327e4..a82db00b 100644
--- a/hknweb/tutoring/views/tutoringportal.py
+++ b/hknweb/tutoring/views/tutoringportal.py
@@ -1,7 +1,8 @@
 from django.shortcuts import render
-from hknweb.utils import login_and_access_level, GROUP_TO_ACCESSLEVEL
+from hknweb.utils import login_and_committee, GROUP_TO_ACCESSLEVEL
+from django.conf import settings
 
 
-@login_and_access_level(GROUP_TO_ACCESSLEVEL["officer"])
+@login_and_committee(settings.TUTORING_GROUP)
 def tutoringportal(request):
     return render(request, "tutoring/portal.html")
diff --git a/hknweb/utils.py b/hknweb/utils.py
index b6f28809..22ddab44 100644
--- a/hknweb/utils.py
+++ b/hknweb/utils.py
@@ -99,6 +99,26 @@ def login_and_access_level(access_level):
     )
 
 
+# Committee Permission checks
+def committee_required(committee):
+    def test_user(user):
+        if (
+            not user.groups.filter(name=committee).exists()
+            and not user.groups.filter(name=settings.EXEC_GROUP).exists()
+        ):
+            raise PermissionDenied
+        return True
+
+    return user_passes_test(test_user)
+
+
+def login_and_committee(committee):
+    return _wrap_with_access_check(
+        f"Must be in {committee}",
+        committee_required(committee),
+    )
+
+
 def method_login_and_permission(permission_name):
     return method_decorator(login_and_permission(permission_name), name="dispatch")
 
diff --git a/hknweb/views/people.py b/hknweb/views/people.py
index 8dda7b50..6fbd600c 100644
--- a/hknweb/views/people.py
+++ b/hknweb/views/people.py
@@ -2,6 +2,8 @@
 from django.db.models import QuerySet
 from django.contrib.auth.models import User
 from django.http import Http404
+from django.conf import settings
+from django.core.exceptions import PermissionDenied
 
 from hknweb.utils import allow_public_access, get_access_level, GROUP_TO_ACCESSLEVEL
 
@@ -16,6 +18,13 @@ def people(request):
     if "semester" in request.GET and not request.GET["semester"].isdigit():
         raise Http404
 
+    is_bridge = request.user.groups.filter(name=settings.BRIDGE_GROUP)
+
+    # Prevents unauthorized users from just typing the url to edit the page
+    if request.GET.get("edit") == "true":
+        if not is_bridge:
+            raise PermissionDenied
+
     semester: Semester = Semester.objects.filter(
         pk=request.GET.get("semester") or None
     ).first()
@@ -40,10 +49,8 @@ def people(request):
             committee__is_exec=False
         ).order_by("committee__name")
 
-    is_officer = get_access_level(request.user) <= GROUP_TO_ACCESSLEVEL["officer"]
-
     form = ProfilePictureForm(request.POST)
-    if is_officer and request.method == "POST":
+    if is_bridge and request.method == "POST":
         user = User.objects.get(pk=request.POST["user_id"])
         form.instance = user.profile
         if form.is_valid():
@@ -52,7 +59,6 @@ def people(request):
     context = {
         "execs": execs,
         "committeeships": committeeships,
-        "is_officer": is_officer,
         "form": form,
         "semester_select_form": SemesterSelectForm({"semester": semester}),
     }
diff --git a/hknweb/views/users.py b/hknweb/views/users.py
index 0a0753c2..dbf55bcf 100644
--- a/hknweb/views/users.py
+++ b/hknweb/views/users.py
@@ -21,19 +21,38 @@
 
 # context processor for base to know whether a user is in the officer group
 def add_officer_context(request):
-    return {
-        "viewer_is_an_officer": request.user.groups.filter(
-            name=settings.OFFICER_GROUP
-        ).exists()
+    usergroups = request.user.groups
+    committees = [
+        "act",
+        "bridge",
+        "compserv",
+        "decal",
+        "indrel",
+        "prodev",
+        "serv",
+        "studrel",
+        "tutoring",
+    ]
+    context = {
+        "viewer_is_an_officer": usergroups.filter(name=settings.OFFICER_GROUP).exists()
     }
+    for committee in committees:
+        context[f"viewer_in_{committee}"] = (
+            usergroups.filter(name=committee).exists()
+            or usergroups.filter(name=settings.EXEC_GROUP).exists()
+        )
+    return context
 
 
 def add_exec_context(request):
-    return {
-        "viewer_is_an_exec": request.user.groups.filter(
-            name=settings.EXEC_GROUP
-        ).exists()
+    usergroups = request.user.groups
+    execs = ["csec", "pres", "rsec", "tres", "ivp", "evp", "deprel"]
+    context = {
+        "viewer_is_an_exec": usergroups.filter(name=settings.EXEC_GROUP).exists()
     }
+    for exec in execs:
+        context[f"viewer_in_{exec}"] = usergroups.filter(name=exec).exists()
+    return context
 
 
 def get_current_cand_semester():  # pragma: no cover
@@ -77,7 +96,7 @@ def account_create(request):
                     candidate_password.lower()
                     == form.cleaned_data["candidate_password"].lower()
                 ):
-                    group = Group.objects.get(name=settings.CAND_GROUP)
+                    group = Group.objects.get(name=settings.UserGroup.CAND_GROUP)
                     group.user_set.add(user)
                     group.save()
 

From e0b29617b9ff01c007758329181277ff7aa8d51d Mon Sep 17 00:00:00 2001
From: Ryan Trinh <ryantrinh05@berkeley.edu>
Date: Tue, 24 Jun 2025 13:59:10 -0700
Subject: [PATCH 2/2] Added Exec Decorator and Unit Tests

---
 hknweb/settings/common.py       |  24 +++++-
 hknweb/studentservices/views.py |   1 -
 hknweb/utils.py                 |  27 ++++++-
 hknweb/views/people.py          |   2 +-
 hknweb/views/users.py           |  16 +---
 tests/views/test_group.py       | 126 ++++++++++++++++++++++++++++++++
 6 files changed, 176 insertions(+), 20 deletions(-)
 create mode 100644 tests/views/test_group.py

diff --git a/hknweb/settings/common.py b/hknweb/settings/common.py
index 9d2e813b..7bd96123 100644
--- a/hknweb/settings/common.py
+++ b/hknweb/settings/common.py
@@ -186,7 +186,7 @@
 # committee groups
 ACT_GROUP = "act"
 BRIDGE_GROUP = "bridge"
-COMPSEV_GROUP = "compserv"
+COMPSERV_GROUP = "compserv"
 DECAL_GROUP = "decal"
 INDREL_GROUP = "indrel"
 PRODEV_GROUP = "prodev"
@@ -194,6 +194,18 @@
 STUDREL_GROUP = "studrel"
 TUTORING_GROUP = "tutoring"
 
+COMMITTEE_GROUPS = (
+    ACT_GROUP,
+    BRIDGE_GROUP,
+    COMPSERV_GROUP,
+    DECAL_GROUP,
+    INDREL_GROUP,
+    PRODEV_GROUP,
+    SERV_GROUP,
+    STUDREL_GROUP,
+    TUTORING_GROUP,
+)
+
 # exec groups
 CSEC_GROUP = "csec"
 PRES_GROUP = "pres"
@@ -203,6 +215,16 @@
 EVP_GROUP = "evp"
 DEPREL_GROUP = "deprel"
 
+EXEC_GROUPS = (
+    CSEC_GROUP,
+    PRES_GROUP,
+    RSEC_GROUP,
+    TRES_GROUP,
+    IVP_GROUP,
+    EVP_GROUP,
+    DEPREL_GROUP,
+)
+
 # Note: both candidate and officer group should have permission to add officer challenges
 
 # Markdown settings
diff --git a/hknweb/studentservices/views.py b/hknweb/studentservices/views.py
index 8dba1ac0..2a946f78 100644
--- a/hknweb/studentservices/views.py
+++ b/hknweb/studentservices/views.py
@@ -11,7 +11,6 @@
 from hknweb.events.views.event_transactions.show_event import show_details_helper
 from hknweb.utils import (
     allow_public_access,
-    login_and_access_level,
     GROUP_TO_ACCESSLEVEL,
     login_and_committee,
 )
diff --git a/hknweb/utils.py b/hknweb/utils.py
index 22ddab44..8a8d78f1 100644
--- a/hknweb/utils.py
+++ b/hknweb/utils.py
@@ -21,8 +21,6 @@
 from django.utils.safestring import mark_safe
 from pytz import timezone
 
-###
-
 
 # constants
 
@@ -99,8 +97,11 @@ def login_and_access_level(access_level):
     )
 
 
-# Committee Permission checks
+# Committee Permission Checks
 def committee_required(committee):
+    if committee not in settings.COMMITTEE_GROUPS:
+        return ValueError("Invalid Committee Group")
+
     def test_user(user):
         if (
             not user.groups.filter(name=committee).exists()
@@ -119,6 +120,26 @@ def login_and_committee(committee):
     )
 
 
+# Exec Permission Checks
+def exec_required(position):
+    if position not in settings.EXEC_GROUPS:
+        return ValueError("Invalid Exec Position")
+
+    def test_user(user):
+        if not user.groups.filter(name=position).exists():
+            raise PermissionDenied
+        return True
+
+    return user_passes_test(test_user)
+
+
+def login_and_exec(position):
+    return _wrap_with_access_check(
+        f"Must be {position}",
+        exec_required(position),
+    )
+
+
 def method_login_and_permission(permission_name):
     return method_decorator(login_and_permission(permission_name), name="dispatch")
 
diff --git a/hknweb/views/people.py b/hknweb/views/people.py
index 6fbd600c..996fc43e 100644
--- a/hknweb/views/people.py
+++ b/hknweb/views/people.py
@@ -18,7 +18,7 @@ def people(request):
     if "semester" in request.GET and not request.GET["semester"].isdigit():
         raise Http404
 
-    is_bridge = request.user.groups.filter(name=settings.BRIDGE_GROUP)
+    is_bridge = request.user.groups.filter(name=settings.BRIDGE_GROUP).exists()
 
     # Prevents unauthorized users from just typing the url to edit the page
     if request.GET.get("edit") == "true":
diff --git a/hknweb/views/users.py b/hknweb/views/users.py
index dbf55bcf..0185ba9a 100644
--- a/hknweb/views/users.py
+++ b/hknweb/views/users.py
@@ -22,21 +22,10 @@
 # context processor for base to know whether a user is in the officer group
 def add_officer_context(request):
     usergroups = request.user.groups
-    committees = [
-        "act",
-        "bridge",
-        "compserv",
-        "decal",
-        "indrel",
-        "prodev",
-        "serv",
-        "studrel",
-        "tutoring",
-    ]
     context = {
         "viewer_is_an_officer": usergroups.filter(name=settings.OFFICER_GROUP).exists()
     }
-    for committee in committees:
+    for committee in settings.COMMITTEE_GROUPS:
         context[f"viewer_in_{committee}"] = (
             usergroups.filter(name=committee).exists()
             or usergroups.filter(name=settings.EXEC_GROUP).exists()
@@ -46,11 +35,10 @@ def add_officer_context(request):
 
 def add_exec_context(request):
     usergroups = request.user.groups
-    execs = ["csec", "pres", "rsec", "tres", "ivp", "evp", "deprel"]
     context = {
         "viewer_is_an_exec": usergroups.filter(name=settings.EXEC_GROUP).exists()
     }
-    for exec in execs:
+    for exec in settings.EXEC_GROUPS:
         context[f"viewer_in_{exec}"] = usergroups.filter(name=exec).exists()
     return context
 
diff --git a/tests/views/test_group.py b/tests/views/test_group.py
new file mode 100644
index 00000000..32ae8921
--- /dev/null
+++ b/tests/views/test_group.py
@@ -0,0 +1,126 @@
+from django.conf import settings
+from django.test import TestCase, RequestFactory
+from django.http import HttpResponse
+
+from collections import namedtuple
+from django.core.exceptions import PermissionDenied
+from tests.events.models.utils import ModelFactory
+from django.contrib.auth.models import Group, AnonymousUser
+from hknweb.utils import login_and_committee, login_and_exec
+
+
+class UsersGroupsTest(TestCase):
+    @classmethod
+    def setUpTestData(cls):
+        cls.cand = ModelFactory.create_user(username="cand")
+        cls.officer = ModelFactory.create_user(username="officer")
+        cls.exec = ModelFactory.create_user(username="exec")
+        cls.bridge = ModelFactory.create_user(username="bridge")
+        cls.tutoring = ModelFactory.create_user(username="tutoring")
+        cls.csec = ModelFactory.create_user(username="csec")
+        cls.pres = ModelFactory.create_user(username="pres")
+        cls.anon = AnonymousUser()
+
+        data = namedtuple("data", "user group bridge tutoring csec pres")
+
+        cls.user_data = (
+            data(cls.cand, settings.CAND_GROUP, 403, 403, 403, 403),
+            data(cls.officer, settings.OFFICER_GROUP, 403, 403, 403, 403),
+            data(cls.exec, settings.EXEC_GROUP, 200, 200, 403, 403),
+            data(cls.bridge, settings.BRIDGE_GROUP, 200, 403, 403, 403),
+            data(cls.tutoring, settings.TUTORING_GROUP, 403, 200, 403, 403),
+            data(cls.csec, settings.CSEC_GROUP, 403, 403, 200, 403),
+            data(cls.pres, settings.PRES_GROUP, 403, 403, 403, 200),
+            data(cls.anon, None, 302, 302, 302, 302),
+        )
+
+        for curr in cls.user_data:
+            if curr.user == cls.anon:
+                continue
+            curr_group = Group.objects.create(name=curr.group)
+            curr.user.groups.add(curr_group)
+
+    def setUp(self):
+        # https://docs.djangoproject.com/en/5.1/topics/testing/advanced/#django.test.RequestFactory
+
+        self.factory = RequestFactory()
+
+    def test_bridge_committee_req(self):
+        @login_and_committee(settings.BRIDGE_GROUP)
+        def bridge_test_view(request):
+            return HttpResponse("Access Granted")
+
+        for data in self.user_data:
+            user = data.user
+            target_status = data.bridge
+            with self.subTest(
+                Username=getattr(user, "username", "anon"), goal=target_status
+            ):
+                request = self.factory.get("/test-bridge/")
+                request.user = user
+                if target_status == 403:
+                    with self.assertRaises(PermissionDenied):
+                        bridge_test_view(request)
+                else:
+                    response = bridge_test_view(request)
+                    self.assertEqual(response.status_code, target_status)
+
+    def test_tutoring_committee_req(self):
+        @login_and_committee(settings.TUTORING_GROUP)
+        def tutoring_test_view(request):
+            return HttpResponse("Access Granted")
+
+        for data in self.user_data:
+            user = data.user
+            target_status = data.tutoring
+            with self.subTest(
+                Username=getattr(user, "username", "anon"), goal=target_status
+            ):
+                request = self.factory.get("/test-tutoring/")
+                request.user = user
+                if target_status == 403:
+                    with self.assertRaises(PermissionDenied):
+                        tutoring_test_view(request)
+                else:
+                    response = tutoring_test_view(request)
+                    self.assertEqual(response.status_code, target_status)
+
+    def test_csec_exec_req(self):
+        @login_and_exec(settings.CSEC_GROUP)
+        def csec_test_view(request):
+            return HttpResponse("Access Granted")
+
+        for data in self.user_data:
+            user = data.user
+            target_status = data.csec
+            with self.subTest(
+                Username=getattr(user, "username", "anon"), goal=target_status
+            ):
+                request = self.factory.get("/test-csec/")
+                request.user = user
+                if target_status == 403:
+                    with self.assertRaises(PermissionDenied):
+                        csec_test_view(request)
+                else:
+                    response = csec_test_view(request)
+                    self.assertEqual(response.status_code, target_status)
+
+    def test_pres_exec_req(self):
+        @login_and_exec(settings.PRES_GROUP)
+        def pres_test_view(request):
+            return HttpResponse("Access Granted")
+
+        for data in self.user_data:
+            user = data.user
+            target_status = data.pres
+            with self.subTest(
+                Username=getattr(user, "username", "anon"), goal=target_status
+            ):
+                request = self.factory.get("/test-pres/")
+                request.user = user
+                if target_status == 403:
+                    with self.assertRaises(PermissionDenied):
+                        pres_test_view(request)
+                else:
+                    response = pres_test_view(request)
+                    self.assertEqual(response.status_code, target_status)