Update permission for Project document upload button (#4277)

Fixes #4275

Author: sandeepsajan0

hypha/apply/projects/permissions.py

@@ -1,8 +1,10 @@
 from django.conf import settings
 from django.core.exceptions import PermissionDenied
+from rolepermissions.permissions import register_object_checker
 
 from hypha.apply.activity.adapters.utils import get_users_for_groups
 from hypha.apply.users.models import User
+from hypha.apply.users.roles import Staff
 
 from .models.project import (
     CLOSING,
@@ -401,6 +403,13 @@ def can_edit_paf(user, project):
     return False, "You are not allowed to edit the project at this time"
 
 
+@register_object_checker()
+def upload_project_documents(role, user, project) -> bool:
+    if role == Staff:
+        return True
+    return False
+
+
 permissions_map = {
     "contract_approve": can_approve_contract,
     "contract_upload": can_upload_contract,

hypha/apply/projects/templates/application_projects/partials/supporting_documents.html

@@ -1,4 +1,5 @@
 {% load i18n approval_tools project_tags heroicons %}
+{% load can from permission_tags %}
 
 <li class="docs-block__row">
     <div class="docs-block__row-inner">
@@ -36,7 +37,8 @@
                                 <p class="docs-block__document-info"><b>{{ latest_file.title }}</b> - {{ latest_file.created_at }}</p>
                             {% endif %}
                         </div>
-                        {% if document_category in remaining_document_categories %}
+                        {% can "upload_project_documents" object as can_upload_documents %}
+                        {% if document_category in remaining_document_categories and can_upload_documents %}
                             <div class="docs-block__document-inner__actions">
                                 <a class="font-bold flex items-center me-0 hover:opacity-70 transition-opacity"
                                    href="{% url 'apply:projects:supporting_doc_upload' object.id document_category.id %}"

hypha/apply/projects/views/project.py

@@ -34,6 +34,7 @@
 from django_tables2 import SingleTableMixin
 from docx import Document
 from htmldocx import HtmlToDocx
+from rolepermissions.checkers import has_object_permission
 
 from hypha.apply.activity.adapters.utils import get_users_for_groups
 from hypha.apply.activity.messaging import MESSAGES, messenger
@@ -277,7 +278,6 @@ def post(self, *args, **kwargs):
 
 
 # PROJECT DOCUMENTS
-@method_decorator(staff_required, name="dispatch")
 class UploadDocumentView(CreateView):
     form_class = UploadDocumentForm
     model = Project
@@ -288,7 +288,11 @@ def dispatch(self, request, *args, **kwargs):
         self.category = get_object_or_404(
             DocumentCategory, id=kwargs.get("category_pk")
         )
-        # permission check
+        permission = has_object_permission(
+            "upload_project_documents", request.user, obj=self.project
+        )
+        if not permission:
+            raise PermissionDenied()
         return super().dispatch(request, *args, **kwargs)
 
     def get(self, *args, **kwargs):