Merge pull request #5489 from opensafely-core/tomodwyer/project-detail

Replace `is_member` with `can_manage_project` in project detail template

Author: tomodwyer

jobserver/views/projects.py

@@ -41,7 +41,9 @@ def get(self, request, *args, **kwargs):
             request.user, Permission.WORKSPACE_CREATE, project=project
         )
 
-        is_member = project.members.filter(username=request.user.username).exists()
+        can_manage_project = has_permission(
+            request.user, Permission.PROJECT_MANAGE, project=project
+        )
 
         memberships = project.memberships.select_related("user").order_by(
             Lower("user__fullname"), "user__username"
@@ -85,8 +87,8 @@ def get(self, request, *args, **kwargs):
 
         context = {
             "can_create_workspaces": can_create_workspaces,
+            "can_manage_project": can_manage_project,
             "first_job_ran_at": first_job_ran_at,
-            "is_member": is_member,
             "memberships": memberships,
             "outputs": self.get_outputs(workspaces),
             "project": project,

templates/project/detail.html

@@ -78,7 +78,7 @@
                   View logs
                   {% icon_queue_list_outline class="h-4 w-4 ml-2 -mr-2" %}
                 {% /button %}
-                {% if is_member %}
+                {% if can_manage_project %}
                   {% #button class="shrink-0" href=project.get_edit_url type="link" variant="secondary" %}
                     Edit project
                     {% icon_pencil_outline class="h-4 w-4 ml-2 -mr-2" %}

tests/unit/jobserver/views/test_projects.py

@@ -219,6 +219,44 @@ def test_projectdetail_with_no_releases(rf):
     assert "Outputs" not in response.rendered_content
 
 
+def test_projectdetail_hides_edit_project_for_member_without_manage_permission(
+    rf, project_membership
+):
+    project = ProjectFactory(org=OrgFactory())
+    user = UserFactory()
+    project_membership(project=project, user=user)
+
+    request = rf.get("/")
+    request.user = user
+
+    response = ProjectDetail.as_view(get_github_api=FakeGitHubAPI)(
+        request, project_slug=project.slug
+    )
+
+    assert "Edit project" not in response.rendered_content
+
+
+def test_projectdetail_shows_edit_project_for_user_with_manage_permission(
+    rf, project_membership, role_factory
+):
+    project = ProjectFactory(org=OrgFactory())
+    user = UserFactory()
+    project_membership(
+        project=project,
+        user=user,
+        roles=[role_factory(permission=Permission.PROJECT_MANAGE)],
+    )
+
+    request = rf.get("/")
+    request.user = user
+
+    response = ProjectDetail.as_view(get_github_api=FakeGitHubAPI)(
+        request, project_slug=project.slug
+    )
+
+    assert "Edit project" in response.rendered_content
+
+
 def test_projectdetail_unknown_project(rf):
     request = rf.get("/")
     request.user = UserFactory()