misc: check access rights using is_superuser, not is_staff (#59186)

combo/data/models.py

@@ -356,7 +356,7 @@ class Page(models.Model):
         return False
 
     def is_editable(self, user):
-        if user.is_staff:
+        if user.is_superuser:
             return True
         group_ids = [x.id for x in user.groups.all()]
         if self.edit_role_id in group_ids:
@@ -438,7 +438,7 @@ class Page(models.Model):
             pages_hierarchy.append(page_hierarchy)
 
         group_ids = None  # None = do not pay attention to groups
-        if follow_user_perms and not follow_user_perms.is_staff:
+        if follow_user_perms and not follow_user_perms.is_superuser:
             group_ids = [x.id for x in follow_user_perms.groups.all()]
 
         pages_hierarchy.sort()

combo/manager/templates/combo/manager_home.html

@@ -4,13 +4,13 @@
 {% block appbar %}
 <h2>{% trans 'Pages' %}</h2>
 <span class="actions">
-{% if user.is_staff %}
+{% if user.is_superuser %}
 <a class="extra-actions-menu-opener"></a>
 {% endif %}
 {% if can_add_page %}
 <a rel="popup" href="{% url 'combo-manager-page-add' %}">{% trans 'New' %}</a>
 {% endif %}
-{% if user.is_staff %}
+{% if user.is_superuser %}
 <ul class="extra-actions-menu">
  <li><a href="{% url 'combo-manager-site-export' %}" rel="popup" data-autoclose-dialog="true">{% trans 'Export Site' %}</a></li>
  <li><a href="{% url 'combo-manager-site-import' %}">{% trans 'Import Site' %}</a></li>
@@ -37,7 +37,7 @@ Use drag and drop with the ⣿ handles to reorder and change hierarchy of pages.
 <div class="objects-list" id="pages-list" data-page-order-url="{% url 'combo-manager-page-order' %}">
  {% for page in object_list %}
  <div class="page level-{{page.level}}{% if collapse_pages %} untoggled{% endif %}" data-page-id="{{page.id}}" data-level="{{page.level}}">
-    {% if user.is_staff %}<span class="handle">⣿</span>{% endif %}
+    {% if user.is_superuser %}<span class="handle">⣿</span>{% endif %}
     <span class="group1">
       <a href="{% url 'combo-manager-page-view' pk=page.id %}">
         {{ page.title }}

combo/manager/templates/combo/page_view.html

@@ -11,7 +11,7 @@
 <ul class="extra-actions-menu">
   <li><a class="action-history" href="{% url 'combo-manager-page-history' pk=object.id %}">{% trans 'History' %}</a></li>
   <li><a {% if page_has_subpages %}rel="popup" data-autoclose-dialog="true" {% endif %}class="action-export" href="{% url 'combo-manager-page-export' pk=object.id %}">{% trans 'Export' %}</a></li>
-{% if request.user.is_staff %}
+{% if request.user.is_superuser %}
   <li><a class="action-add-child" rel="popup" href="{% url 'combo-manager-page-add-child' pk=object.id %}">{% trans 'Add a child page' %}</a></li>
   <li><a class="action-edit-roles" rel="popup" href="{% url 'combo-manager-page-edit-roles' pk=object.id %}">{% trans 'Manage edit roles' %}</a></li>
   <li><a rel="popup" class="action-duplicate" href="{% url 'combo-manager-page-duplicate' pk=object.id %}">{% trans 'Duplicate' %}</a></li>
@@ -96,7 +96,7 @@
 <div class="page-options navigation">
 <h3>{% trans 'Navigation' %}</h3>
 <ul>
-{% if object.parent_id and request.user.is_staff %}
+{% if object.parent_id and request.user.is_superuser %}
 <li class="nav-up"><a href="{% url 'combo-manager-page-view' pk=object.parent_id %}">{{ object.parent.title }}</a></li>
 {% endif %}
 {% if previous_page %}

combo/manager/views.py

@@ -80,7 +80,7 @@ from .forms import (
 
 
 def can_add_page(user):
-    if user.is_staff:
+    if user.is_superuser:
         return True
     group_ids = [x.id for x in user.groups.all()]
     return bool(Page.objects.filter(subpages_edit_role_id__in=group_ids).exists())
@@ -194,7 +194,7 @@ class PageAddView(CreateView):
     template_name = 'combo/page_add.html'
 
     def get_form_class(self):
-        if self.request.user.is_staff:
+        if self.request.user.is_superuser:
             return PageAddForm
         elif can_add_page(self.request.user):
             return PageRestrictedAddForm

combo/public/views.py

@@ -115,7 +115,7 @@ def ajax_page_cell(request, page_pk, cell_reference):
         except Page.DoesNotExist:
             raise Http404()
         # as it's from a snapshot access is limited to managers
-        if not (request.user and request.user.is_staff):
+        if not (request.user and request.user.is_superuser):
             raise PermissionDenied()
 
     if not page.is_visible(request.user):

combo/urls_utils.py

@@ -59,7 +59,7 @@ def decorated_includes(func, includes, *args, **kwargs):
 
 def manager_required(function=None, login_url=None):
     def check_manager(user):
-        if user and user.is_staff:
+        if user and user.is_superuser:
             return True
         if user and not user.is_anonymous:
             from combo.data.models import Page
@@ -81,7 +81,7 @@ def manager_required(function=None, login_url=None):
 
 def staff_required(function=None, login_url=None):
     def check_staff(user):
-        if user and user.is_staff:
+        if user and user.is_superuser:
             return True
         if user and not user.is_anonymous:
             raise PermissionDenied()