Fix viewer role login

MWargelin · MWargelin · commit c04c5a4b7f03 · 2025-06-18T10:50:21.000+03:00
Pre-existing viewer role could not log in. Fix login by modifying what
is considered an "adminable instance" for a user and by adding access to
wagtail admin as permission for the viewer role.
diff --git a/admin_site/wagtail_hooks.py b/admin_site/wagtail_hooks.py
@@ -53,7 +53,7 @@ class InstanceItem(MenuItem):
 class InstanceChooserMenu(Menu):
     def menu_items_for_request(self, request: PathsAdminRequest):
         user = request.user
-        instances = InstanceConfig.permission_policy().instances_user_has_any_permission_for(user, ['change'])
+        instances = user.get_adminable_instances()
         if len(instances) < 2:
             return []
         items = []
diff --git a/nodes/models.py b/nodes/models.py
@@ -151,13 +151,16 @@ def is_framework_viewer(self, user: User, obj: InstanceConfig) -> bool:
             return False
         return user.has_instance_role(self.fw_viewer_role, obj.framework_config.framework)
 
-    def construct_perm_q(self, user: User, action: ObjectSpecificAction) -> models.Q | None:
+    def construct_perm_q(self, user: User, action: ObjectSpecificAction, include_implicit_public: bool = True) -> models.Q | None:
         is_admin = self.admin_role.role_q(user)
         is_viewer = self.viewer_role.role_q(user)
         is_fw_admin = self.fw_admin_role.role_q(user, prefix='framework_config__framework')
         is_fw_viewer = self.fw_viewer_role.role_q(user, prefix='framework_config__framework')
         if action == 'view':
-            return is_viewer | is_admin | is_fw_admin | is_fw_viewer | Q(framework_config__isnull=True)
+            q = is_viewer | is_admin | is_fw_admin | is_fw_viewer
+            if include_implicit_public:
+                q |= Q(framework_config__isnull=True)
+            return q
         return is_admin | is_fw_admin
 
     def construct_perm_q_anon(self, action: BaseObjectAction) -> Q | None:
@@ -167,7 +170,16 @@ def construct_perm_q_anon(self, action: BaseObjectAction) -> Q | None:
         return None
 
     def adminable_instances(self, user: User) -> InstanceConfigQuerySet:
-        return self.instances_user_has_any_permission_for(user, ['change'])
+        """
+        Return instances that the user has been explicitly granted access to.
+
+        We can't simply use the 'view' permission on InstanceConfig, because
+        most instances will be public by default.
+        """
+        qs = self.get_queryset()
+        if user.is_superuser:
+            return qs
+        return qs.filter(self.construct_perm_q(user, 'view', include_implicit_public=False))
 
     def user_has_perm(self, user: User, action: ObjectSpecificAction, obj: InstanceConfig) -> bool:
         if action == 'delete':
diff --git a/nodes/roles.py b/nodes/roles.py
@@ -60,6 +60,7 @@ class InstanceViewerRole(InstanceGroupMembershipRole, InstanceSpecificRole['Inst
     instance_group_field_name = 'viewer_group'
 
     model_perms = [
+        ('wagtailadmin', 'admin', ('access',)),
         ('nodes', ('instanceconfig', 'nodeconfig'), ('view',)),
         ('frameworks', (
             'framework', 'frameworkconfig', 'measure', 'measuredatapoint',
diff --git a/paths/middleware.py b/paths/middleware.py
@@ -67,8 +67,7 @@ async def get_admin_instance(self, request: PathsAdminRequest) -> None | Instanc
             instance_config = await InstanceConfig.objects.filter(id=admin_instance_id).afirst()
 
         adminable_instances = [
-            ic async for ic in InstanceConfig.permission_policy().instances_user_has_any_permission_for(user, ['change'])
-            .filter(site__isnull=False)
+            ic async for ic in user.get_adminable_instances().filter(site__isnull=False)
         ]
         if instance_config is not None and instance_config not in adminable_instances:
             instance_config = None
diff --git a/users/models.py b/users/models.py
@@ -72,7 +72,7 @@ def get_active_instance(self) -> InstanceConfig | None:
 
     def get_adminable_instances(self) -> InstanceConfigQuerySet:
         from nodes.models import InstanceConfig
-        return InstanceConfig.permission_policy().instances_user_has_permission_for(self, 'change')
+        return InstanceConfig.permission_policy().adminable_instances(self)
 
     @cached_property
     def cgroups(self) -> QS[Group]:

Original file line number	Diff line number	Diff line change
`@@ -67,8 +67,7 @@ async def get_admin_instance(self, request: PathsAdminRequest) -> None \| Instanc`
`67`	`67`	`instance_config = await InstanceConfig.objects.filter(id=admin_instance_id).afirst()`
`68`	`68`
`69`	`69`	`adminable_instances = [`
`70`		`- ic async for ic in InstanceConfig.permission_policy().instances_user_has_any_permission_for(user, ['change'])`
`71`		`- .filter(site__isnull=False)`
	`70`	`+ ic async for ic in user.get_adminable_instances().filter(site__isnull=False)`
`72`	`71`	`]`
`73`	`72`	`if instance_config is not None and instance_config not in adminable_instances:`
`74`	`73`	`instance_config = None`