diff --git a/pms/methods.py b/pms/methods.py
index 1ad8c1413..caf35167d 100644
--- a/pms/methods.py
+++ b/pms/methods.py
@@ -4,7 +4,7 @@ from django.shortcuts import render
from pyexpat.errors import messages
from employee.models import EmployeeWorkInformation
-from pms.models import EmployeeObjective, Objective
+from pms.models import EmployeeObjective, Feedback, Objective
decorator_with_arguments = (
lambda decorator: lambda *args, **kwargs: lambda func: decorator(
@@ -75,3 +75,40 @@ def pms_owner_and_manager_can_enter(function, perm):
return HttpResponse(script)
return _function
+
+
+def check_permission_feedback_detailed_view(request, feedback, perm):
+ """
+ Checks if the user has permission to view the detailed view of feedback.
+
+ The user is allowed if they:
+ - Have the required permission
+ - Are the owner of the feedback
+ - Are the reporting manager of the feedback owner
+ - Are the feedback manager
+
+ Args:
+ request: The HTTP request object containing the user.
+ feedback: The feedback object being accessed.
+ perm: The specific permission required.
+
+ Returns:
+ bool: True if the user has permission, False otherwise.
+ """
+ user = request.user
+ employee = user.employee_get
+
+ # Check if the user is the reporting manager of the feedback owner
+ is_manager = EmployeeWorkInformation.objects.filter(
+ reporting_manager_id=employee, employee_id=feedback.employee_id
+ ).exists()
+
+ # Check for permission, if the user is the feedback manager, reporting manager, or the feedback owner
+ has_permission = (
+ user.has_perm(perm)
+ or feedback.manager_id == employee
+ or is_manager
+ or feedback.employee_id == employee
+ )
+
+ return has_permission
diff --git a/pms/templatetags/pmsfilters.py b/pms/templatetags/pmsfilters.py
index 2af958a4c..5a8209a68 100644
--- a/pms/templatetags/pmsfilters.py
+++ b/pms/templatetags/pmsfilters.py
@@ -16,7 +16,7 @@ Filters:
from django.template.defaultfilters import register
-from employee.models import Employee
+from employee.models import Employee, EmployeeWorkInformation
from pms.models import EmployeeObjective, Feedback, Objective
@@ -94,6 +94,10 @@ def is_feedback_manager_or_owner(feedback, user):
return True
elif Feedback.objects.filter(id=feedback.id, employee_id=employee).exists():
return True
+ elif EmployeeWorkInformation.objects.filter(
+ reporting_manager_id=employee, employee_id=feedback.employee_id
+ ).exists():
+ return True
return False
diff --git a/pms/views.py b/pms/views.py
index 4eb93b018..72d62b8ea 100644
--- a/pms/views.py
+++ b/pms/views.py
@@ -60,7 +60,10 @@ from pms.forms import (
QuestionForm,
QuestionTemplateForm,
)
-from pms.methods import pms_owner_and_manager_can_enter
+from pms.methods import (
+ check_permission_feedback_detailed_view,
+ pms_owner_and_manager_can_enter,
+)
from pms.models import (
AnonymousFeedback,
Answer,
@@ -1771,7 +1774,6 @@ def feedback_list_view(request):
@login_required
-@owner_can_enter("pms.view_Feedback", Feedback)
def feedback_detailed_view(request, id, **kwargs):
"""
This view is used to for detailed view of feedback,
@@ -1781,17 +1783,30 @@ def feedback_detailed_view(request, id, **kwargs):
it will return the feedback object to feedback_detailed_view template .
"""
feedback = Feedback.objects.get(id=id)
- feedback_started = Answer.objects.filter(feedback_id=id)
- current_date = datetime.datetime.now()
- context = {
- "feedback": feedback,
- "feedback_started": feedback_started,
- "feedback_status": Feedback.STATUS_CHOICES,
- "current_date": current_date,
- }
- return render(request, "feedback/feedback_detailed_view.html", context)
+ is_have_perm = check_permission_feedback_detailed_view(
+ request, feedback, "pms.view_Feedback"
+ )
+ if is_have_perm:
+ feedback_started = Answer.objects.filter(feedback_id=id)
+ current_date = datetime.datetime.now()
+ context = {
+ "feedback": feedback,
+ "feedback_started": feedback_started,
+ "feedback_status": Feedback.STATUS_CHOICES,
+ "current_date": current_date,
+ }
+ return render(request, "feedback/feedback_detailed_view.html", context)
+ else:
+ messages.info(request, "You dont have permission.")
+ previous_url = request.META.get("HTTP_REFERER", "/")
+ script = f''
+ key = "HTTP_HX_REQUEST"
+ if key in request.META.keys():
+ return render(request, "decorator_404.html")
+ return HttpResponse(script)
+@login_required
def feedback_detailed_view_answer(request, id, emp_id):
"""
This view is used show answer ,
@@ -1803,11 +1818,23 @@ def feedback_detailed_view_answer(request, id, emp_id):
"""
employee = Employee.objects.filter(id=emp_id).first()
feedback = Feedback.objects.filter(id=id).first()
- answers = Answer.objects.filter(employee_id=employee, feedback_id=feedback)
- context = {
- "answers": answers,
- }
- return render(request, "feedback/feedback_detailed_view_answer.html", context)
+ is_have_perm = check_permission_feedback_detailed_view(
+ request, feedback, "pms.view_Feedback"
+ )
+ if is_have_perm:
+ answers = Answer.objects.filter(employee_id=employee, feedback_id=feedback)
+ context = {
+ "answers": answers,
+ }
+ return render(request, "feedback/feedback_detailed_view_answer.html", context)
+ else:
+ messages.info(request, "You dont have permission.")
+ previous_url = request.META.get("HTTP_REFERER", "/")
+ script = f''
+ key = "HTTP_HX_REQUEST"
+ if key in request.META.keys():
+ return render(request, "decorator_404.html")
+ return HttpResponse(script)
@login_required