Adding cohost permissions to view/respond to participation requests

[Rutvikrj26]

#2192 Implements the ability for an event host to add cohosts to the event. Currently cohosts don't have permissions to do anything on the platform.

This PR implements the change in the events functionality for the cohost to be able to view the participant lists, edit the event, view/respond to participation requests.

A scenario: Considering the event is held across the nation with multiple hubs, with each hub having an admin/lead. The admin for each hub is a cohost that can individually verify and approve the participant requests for the hub.

[bemoody]

The key question here is what this means in terms of access control for event datasets.

I realize that for now, event datasets don't actually make a difference to PhysioNet, but I would like to support them eventually, and there are a few things about them that that still make me uneasy.

In issue #2244, I've tried to lay out what I think is needed to make this system reasonably secure and auditable - changes that I hope should be easy to implement and not cause problems for HDN either. Could you please take a look?

[Rutvikrj26]

Thanks for adding these @bemoody
These are major security issues and need addressing before the next event happens. I'll be updating this PR to also solve the issues mentioned in #2244

[bemoody]

• In console/views.py:

@console_permission_required('user.add_event_dataset')

This should be events, not user - and the other lines referring to user.view_all_events should be events.view_all_events instead. Oops!

user.view_all_events and user.view_event_menu are obsolete permissions that should have been removed (issue #1818).

• In events/templates/events/event_home.html:

{% if user == event.host or user.id in event.get_cohost_ids %}

Couldn't this be {% if user == event.host or user in event.get_cohosts %} ?

It might be cleaner, instead, to define another function in events/templatetags/participation_status.py.

• In events/templates/events/event_notifications.html: the added text should be wrapped in {% if participation_response_form.instance.event.datasets.exists %}.

[Rutvikrj26]

@bemoody I've implemented these suggestion:

This should be events, not user - and the other lines referring to user.view_all_events should be events.view_all_events instead. Oops!

user.view_all_events and user.view_event_menu are obsolete permissions that should have been removed (issue #1818).

Both these permissions were actually a part of Event model, I mistakenly put them to user.

• In events/templates/events/event_home.html:

{% if user == event.host or user.id in event.get_cohost_ids %}

Couldn't this be {% if user == event.host or user in event.get_cohosts %} ?

It might be cleaner, instead, to define another function in events/templatetags/participation_status.py.

That is a much cleaner implementation - I implemented a filter in the templatetags that addresses this and removed the redundant method for cohost_ids.

• In events/templates/events/event_notifications.html: the added text should be wrapped in {% if participation_response_form.instance.event.datasets.exists %}.

Wrapped the text in the condition to make it more secure.

[tompollard]

@Rutvikrj26 I'm a little confused about this PR. The changes to the code don't seem to match the goal that you set out in the title and description ("Adding cohost permissions to view/respond to participation requests").

Side note but I don't remember why "invite co-host" form and notifications ended up being added to the "view event" page. We should definitely move them to http://localhost:8000/events/ (following a similar pattern to http://localhost:8000/projects/) at some point.

[tompollard]

typo include_event_datatsets should be include_event_datasets

[Rutvikrj26]

i've ran over it at least half a dozen times, but all three seem to be the exact same to me. Not sure what you're pointing to.

[tompollard]

There is a spelling mistake, I think? Shouldn't "datatsets" be "datasets"?

[Rutvikrj26]

Oh, Thanks!!
I couldn't spot it😅