Merge pull request #8165 from 4teamwork/es/TI-1935-delete-watchers

Allow admins to delete any watcher

Author: elioschmutz

changes/TI-1935.feature

@@ -0,0 +1 @@
+A limited admin, an administrator and a manager can always remove a watcher from an object. [elioschmutz]

changes/TI-1935.other

@@ -0,0 +1 @@
+Extends the @watchers response with `watcher_properties` which tells the frontend if a specific watcher is deleteable by the current user. [elioschmutz]

docs/public/dev-manual/api/api_changelog.rst

@@ -24,6 +24,7 @@ Breaking Changes
 Other Changes
 ^^^^^^^^^^^^^
 ``@listing``: Filtering by inactive dossier responsible is now available.
+``@watchers``: Extends the @watchers response with ``watcher_properties``.
 
 2025.6.0 (2025-04-07)
 ---------------------

docs/public/dev-manual/api/watchers.rst

@@ -30,11 +30,11 @@ Ein Beobachter kann verschiedene Rollen haben, beispielsweise die Rollen Auftrag
         "referenced_actors": [
           {
             "@id": "https://example.org/@actors/peter.mueller",
-            "identifier": "peter.mueller",
+            "identifier": "peter.mueller"
           },
           {
             "@id": "https://example.org/@actors/rolf.ziegler",
-            "identifier": "rolf.ziegler",
+            "identifier": "rolf.ziegler"
           }
         ],
         "referenced_watcher_roles": [
@@ -49,7 +49,7 @@ Ein Beobachter kann verschiedene Rollen haben, beispielsweise die Rollen Auftrag
           {
             "id": "task_responsible",
             "title": "Auftragnehmer"
-          },
+          }
         ],
         "watchers_and_roles": {
           "peter.mueller": [
@@ -59,6 +59,14 @@ Ein Beobachter kann verschiedene Rollen haben, beispielsweise die Rollen Auftrag
             "regular_watcher",
             "task_responsible"
           ]
+        },
+        "watcher_properties": {
+          "peter.mueller": {
+            "can_delete_watcher": true
+          },
+          "rolf.ziegler": {
+            "can_delete_watcher": false
+          }
         }
       }
 
@@ -89,7 +97,8 @@ Die Beobachter können als Komponente eines Inhalts direkt über den ``expand``-
           "@id": "https://example.org/ordnungssystem/fuehrung/dossier-23/task-1/@listing-stats",
           "referenced_actors": ["..."],
           "referenced_watcher_roles": ["..."],
-          "watchers_and_roles": { "...": "..." }
+          "watchers_and_roles": { "...": "..." },
+          "watcher_properties": { "...": "..." }
         }
       },
       "...": "..."

opengever/api/permissions.zcml

@@ -8,5 +8,6 @@
   <permission id="opengever.api.ManageGroups" title="opengever.api: Manage Groups" />
   <permission id="opengever.api.NotifyArbitraryUsers" title="opengever.api: Notify Arbitrary Users" />
   <permission id="opengever.api.AccessErrorLog" title="opengever.api: Access error log" />
+  <permission id="opengever.api.RemoveAnyWatcher" title="opengever.api: Remove any watcher" />
 
 </configure>

opengever/api/tests/test_watchers.py

@@ -2,11 +2,13 @@
 from ftw.testbrowser import browsing
 from opengever.activity import notification_center
 from opengever.activity.roles import WATCHER_ROLE
+from opengever.api.watchers import WatcherDeleter
 from opengever.base.model import create_session
 from opengever.ogds.models.user import User
 from opengever.testing import IntegrationTestCase
 from opengever.testing import solr_data_for
 from opengever.testing import SolrIntegrationTestCase
+from zExceptions import Forbidden
 import json
 
 
@@ -52,6 +54,10 @@ def test_get_watchers_for_tasks(self, browser):
             u'watchers_and_roles': {
                 self.regular_user.id: [u'regular_watcher', u'task_responsible'],
                 self.dossier_responsible.id: [u'task_issuer']
+            },
+            u'watcher_properties': {
+                self.regular_user.id: {'can_delete_watcher': True },
+                self.dossier_responsible.id: {'can_delete_watcher': False },
             }
         }
 
@@ -104,6 +110,10 @@ def test_get_watchers_for_inbox_forwarding(self, browser):
             u'watchers_and_roles': {
                 self.regular_user.id: [u'regular_watcher', u'task_responsible'],
                 self.dossier_responsible.id: [u'task_issuer']
+            },
+            u'watcher_properties': {
+                self.regular_user.id: {'can_delete_watcher': False },
+                self.dossier_responsible.id: {'can_delete_watcher': False },
             }
         }
 
@@ -141,6 +151,9 @@ def test_get_watchers_for_documents(self, browser):
             ],
             u'watchers_and_roles': {
                 self.dossier_responsible.id: [u'regular_watcher']
+            },
+            u'watcher_properties': {
+                self.dossier_responsible.id: {'can_delete_watcher': False },
             }
         }
 
@@ -177,6 +190,9 @@ def test_get_watchers_for_mails(self, browser):
             ],
             u'watchers_and_roles': {
                 self.dossier_responsible.id: [u'regular_watcher']
+            },
+            u'watcher_properties': {
+                self.dossier_responsible.id: {'can_delete_watcher': False },
             }
         }
 
@@ -217,6 +233,9 @@ def test_watchers_endpoint_supports_teams(self, browser):
             ],
             u'watchers_and_roles': {
                 u'team:1': [u'task_responsible'],
+            },
+            u'watcher_properties': {
+                u'team:1': {'can_delete_watcher': False },
             }
         }
 
@@ -255,9 +274,11 @@ def test_watchers_endpoint_supports_inboxes(self, browser):
             ],
             u'watchers_and_roles': {
                 u'inbox:fa': [u'task_responsible'],
+            },
+            u'watcher_properties': {
+                u'inbox:fa': {'can_delete_watcher': False },
             }
         }
-
         self.assertEqual(expected_json, browser.json)
 
         browser.open(self.task.absolute_url() + '?expand=watchers',
@@ -287,7 +308,8 @@ def test_get_watchers_hides_inactive_users(self, browser):
         expected_json = {u'@id': self.document.absolute_url() + '/@watchers',
                          u'referenced_actors': [],
                          u'referenced_watcher_roles': [],
-                         u'watchers_and_roles': {}}
+                         u'watchers_and_roles': {},
+                         u'watcher_properties': {}}
         self.assertEqual(expected_json, browser.json['@components']['watchers'])
 
 
@@ -817,3 +839,109 @@ def test_possible_watchers_includes_users_groups_and_teams(self, browser):
             u'items_total': 10}
 
         self.assertEqual(expected_json, browser.json)
+
+class TestWatcherDeleter(IntegrationTestCase):
+
+    features = ('activity', )
+
+    def test_can_delete_watcher_from_context(self):
+        self.login(self.regular_user)
+
+        center = notification_center()
+        center.add_watcher_to_resource(self.task, self.regular_user.getId(), WATCHER_ROLE)
+        center.add_watcher_to_resource(self.task, self.dossier_responsible.getId(), WATCHER_ROLE)
+
+        self.assertItemsEqual(
+            [self.regular_user.getId(), self.dossier_responsible.getId()],
+            [watcher.actorid for watcher in center.get_watchers(self.task, WATCHER_ROLE)]
+        )
+
+        WatcherDeleter(self.task).delete(self.regular_user.getId())
+
+        self.assertItemsEqual(
+            [self.dossier_responsible.getId()],
+            [watcher.actorid for watcher in center.get_watchers(self.task, WATCHER_ROLE)]
+        )
+
+    def test_delete_raises_forbidden_if_not_allowed(self):
+        self.login(self.regular_user)
+
+        with self.assertRaises(Forbidden):
+            WatcherDeleter(self.task).delete(self.dossier_responsible.getId())
+
+    def test_can_delete_returns_true_for_current_user(self):
+        self.login(self.regular_user)
+
+        center = notification_center()
+        center.add_watcher_to_resource(self.task, self.regular_user.getId(), WATCHER_ROLE)
+
+        self.assertTrue(WatcherDeleter(self.task).can_delete(self.regular_user.getId()))
+
+    def test_can_delete_returns_true_if_actor_has_watcher_role(self):
+        self.login(self.regular_user)
+        center = notification_center()
+
+        # No one is watching with the WATCHER_ROLE
+        self.assertItemsEqual(
+            [],
+            [watcher.actorid for watcher in center.get_watchers(self.task, WATCHER_ROLE)]
+        )
+
+        # But with other roles
+        self.assertItemsEqual(
+            [self.regular_user.getId(), self.dossier_responsible.getId()],
+            [watcher.actorid for watcher in center.get_watchers(self.task)]
+        )
+
+        # Delete should not be possible because the WATCHER_ROLE is missing for the user
+        self.assertFalse(WatcherDeleter(self.task).can_delete(self.regular_user.getId()))
+
+        center.add_watcher_to_resource(self.task, self.regular_user.getId(), WATCHER_ROLE)
+
+        self.assertItemsEqual(
+            [self.regular_user.getId()],
+            [watcher.actorid for watcher in center.get_watchers(self.task, WATCHER_ROLE)]
+        )
+
+        # Now it's possible because the user is watching with the required role
+        self.assertTrue(WatcherDeleter(self.task).can_delete(self.regular_user.getId()))
+
+    def test_can_delete_returns_true_for_groups(self):
+        self.login(self.regular_user)
+
+        center = notification_center()
+        center.add_watcher_to_resource(self.task, 'fa_users', WATCHER_ROLE)
+
+        self.assertTrue(WatcherDeleter(self.task).can_delete('fa_users'))
+
+    def test_can_delete_returns_false_for_foreign_actors_as_editor(self):
+        self.login(self.regular_user)
+
+        center = notification_center()
+        center.add_watcher_to_resource(self.task, self.dossier_responsible.getId(), WATCHER_ROLE)
+
+        self.assertFalse(WatcherDeleter(self.task).can_delete(self.dossier_responsible.getId()))
+
+    def test_can_delete_returns_true_for_foreign_actors_as_limited_admin(self):
+        self.login(self.limited_admin)
+
+        center = notification_center()
+        center.add_watcher_to_resource(self.task, self.dossier_responsible.getId(), WATCHER_ROLE)
+
+        self.assertTrue(WatcherDeleter(self.task).can_delete(self.dossier_responsible.getId()))
+
+    def test_can_delete_returns_true_for_foreign_actors_as_administrator(self):
+        self.login(self.administrator)
+
+        center = notification_center()
+        center.add_watcher_to_resource(self.task, self.dossier_responsible.getId(), WATCHER_ROLE)
+
+        self.assertTrue(WatcherDeleter(self.task).can_delete(self.dossier_responsible.getId()))
+
+    def test_can_delete_returns_true_for_foreign_actors_as_manager(self):
+        self.login(self.manager)
+
+        center = notification_center()
+        center.add_watcher_to_resource(self.task, self.dossier_responsible.getId(), WATCHER_ROLE)
+
+        self.assertTrue(WatcherDeleter(self.task).can_delete(self.dossier_responsible.getId()))

opengever/api/watchers.py

@@ -59,9 +59,15 @@ def __call__(self, expand=False):
             }
             for role in roles]
 
+        watcher_properties = defaultdict(dict)
+        deleter = WatcherDeleter(self.context)
+        for actor_id in watchers_and_roles:
+            watcher_properties[actor_id]['can_delete_watcher'] = deleter.can_delete(actor_id)
+
         result['watchers']['watchers_and_roles'] = watchers_and_roles
         result['watchers']['referenced_watcher_roles'] = referenced_watcher_roles
         result['watchers']['referenced_actors'] = referenced_actors
+        result['watchers']['watcher_properties'] = watcher_properties
         return result
 
 
@@ -94,6 +100,41 @@ def extract_data(self):
             raise BadRequest(u"Actor '{}' does not exist".format(self.actor_id))
 
 
+class WatcherDeleter(object):
+
+    def __init__(self, context):
+        self.context = context
+        self.center = notification_center()
+
+    def can_delete(self, actor_id):
+        watchers = self.center.get_watchers(self.context, WATCHER_ROLE)
+
+        # Delete watcher is only possible for the WATCHER_ROLE
+        if actor_id not in [watcher.actorid for watcher in watchers]:
+            return False
+
+        # Always allow depending on a permission
+        if api.user.has_permission('opengever.api: Remove any watcher', obj=self.context):
+            return True
+
+        # The user can always remove itself
+        if actor_id == api.user.get_current().getId():
+            return True
+
+        # The user can never remove another user
+        if isinstance(ActorLookup(actor_id).lookup(), OGDSUserActor):
+            return False
+
+        # the user can remove groups and teams
+        return True
+
+    def delete(self, actor_id):
+        if not self.can_delete(actor_id):
+            raise Forbidden()
+
+        notification_center().remove_watcher_from_resource(self.context, actor_id, WATCHER_ROLE)
+
+
 @implementer(IPublishTraverse)
 class WatchersDelete(Service):
     def __init__(self, context, request):
@@ -110,11 +151,7 @@ def reply(self):
 
         self.extract_data()
         actor_id = self.read_params()
-        if not self.can_delete_actor(actor_id):
-            raise Forbidden()
-
-        self.center = notification_center()
-        self.center.remove_watcher_from_resource(self.context, actor_id, WATCHER_ROLE)
+        WatcherDeleter(self.context).delete(actor_id)
 
         self.request.response.setStatus(204)
         return None
@@ -124,18 +161,6 @@ def extract_data(self):
         if data:
             raise BadRequest("DELETE does not take any data")
 
-    def can_delete_actor(self, actor_id):
-        # The user can always remove itslef
-        if actor_id == api.user.get_current().getId():
-            return True
-
-        # The user can never remove another user
-        if isinstance(ActorLookup(actor_id).lookup(), OGDSUserActor):
-            return False
-
-        # the user can remove groups and teams
-        return True
-
     def read_params(self):
         if len(self.params) == 0:
             raise BadRequest("Must supply an actor ID as URL path parameter.")

opengever/base/monkey/patches/readonly.py

@@ -230,6 +230,7 @@ def getRolesInContext(self, context):
     'opengever.api: Manage Role Assignment Reports',
     'opengever.api: Notify Arbitrary Users',
     'opengever.api: Transfer Assignment',
+    'opengever.api: Remove any watcher',
     'opengever.contact: Edit team',
     'opengever.disposition: Edit transfer number',
     'opengever.document: Cancel',

opengever/core/lawgiver.zcml

@@ -233,6 +233,7 @@
                    opengever.api: Manage Groups,
                    opengever.api: Manage Role Assignment Reports,
                    opengever.api: Notify Arbitrary Users,
+                   opengever.api: Remove any watcher,
                    opengever.api: Transfer Assignment,
                    opengever.api: View AllowedRolesAndPrincipals,
                    opengever.bumblebee: Revive Preview,

opengever/core/profiles/default/rolemap.xml

@@ -454,6 +454,12 @@
       <role name="Reviewer" />
     </permission>
 
+    <permission name="opengever.api: Remove any watcher" acquire="True">
+      <role name="Manager" />
+      <role name="Administrator" />
+      <role name="LimitedAdmin" />
+    </permission>
+
   </permissions>
 
 </rolemap>