Adapt dashboard views to multiple stockrecords

We allow access to a product as long as one stockrecord's partner has
the user in it's list. That more permissive default was chosen as it
reduces UI complexity and we don't want to complicate already complex
behaviour further.

oscar/apps/catalogue/abstract_models.py

@@ -6,7 +6,7 @@ import warnings
 
 from django.conf import settings
 from django.contrib.staticfiles.finders import find
-from django.core.exceptions import ObjectDoesNotExist, ValidationError, ImproperlyConfigured
+from django.core.exceptions import ValidationError, ImproperlyConfigured
 from django.core.validators import RegexValidator
 from django.db import models
 from django.db.models import Sum, Count, get_model
@@ -490,14 +490,19 @@ class AbstractProduct(models.Model):
             return False, _("No stock available")
         return self.stockrecord.is_purchase_permitted(user, quantity, self)
 
-    def user_in_partner_users(self, user):
+    def is_user_in_partners_users(self, user, match_all=False):
         """
-        Test whether the user is in this product partner's users
+        The stockrecords of this product are linked to a fulfilment partner,
+        which have a M2M field for a list of users.
+
+        This function tests whether a given user is in any (match_all=False) or
+        all (match_all=True) of those user lists.
         """
-        try:
-            return self.stockrecord.partner.users.filter(pk=user.pk).exists()
-        except (AttributeError, ObjectDoesNotExist):
-            return False
+        queryset = user.partners.filter(stockrecords__product=self)
+        if match_all:
+            return queryset.count() == self.stockrecords.count()
+        else:
+            return queryset.exists()
 
     @property
     def min_variant_price_incl_tax(self):

oscar/apps/dashboard/catalogue/views.py

@@ -1,4 +1,4 @@
-from django.core.exceptions import ObjectDoesNotExist, PermissionDenied, ImproperlyConfigured
+from django.core.exceptions import ObjectDoesNotExist, PermissionDenied
 from django.views import generic
 from django.db.models import get_model
 from django.http import HttpResponseRedirect, Http404
@@ -35,6 +35,15 @@ StockAlert = get_model('partner', 'StockAlert')
 Partner = get_model('partner', 'Partner')
 
 
+def get_queryset_for_user(user):
+    queryset = Product.objects.base_queryset().order_by('-date_created')
+    if user.is_staff:
+        return queryset.all()
+    else:
+        return queryset.filter(
+            stockrecords__partner__users__pk=user.pk).distinct()
+
+
 class ProductListView(generic.ListView):
     template_name = 'dashboard/catalogue/product_list.html'
     model = Product
@@ -50,14 +59,6 @@ class ProductListView(generic.ListView):
         ctx['queryset_description'] = self.description
         return ctx
 
-    def get_queryset_for_user(self, user):
-        queryset = self.model.objects.base_queryset().select_related(
-            'stockrecord__partner').order_by('-date_created')
-        if user.is_staff:
-            return queryset.all()
-        else:
-            return queryset.filter(stockrecord__partner__users__pk=user.pk)
-
     def get_queryset(self):
         """
         Build the queryset for this list and also update the title that
@@ -65,7 +66,7 @@ class ProductListView(generic.ListView):
         """
         description_ctx = {'upc_filter': '',
                            'title_filter': ''}
-        queryset = self.get_queryset_for_user(self.request.user)
+        queryset = get_queryset_for_user(self.request.user)
         self.form = self.form_class(self.request.GET)
         if not self.form.is_valid():
             self.description = self.description_template % description_ctx
@@ -137,9 +138,13 @@ class ProductCreateUpdateView(generic.UpdateView):
             else:
                 return None  # success
         else:
-            obj = super(ProductCreateUpdateView, self).get_object(queryset)
-            self.product_class = obj.product_class
-            return obj
+            product = super(ProductCreateUpdateView, self).get_object(queryset)
+            user = self.request.user
+            self.product_class = product.product_class
+            if user.is_staff or product.is_user_in_partners_users(user):
+                return product
+            else:
+                raise PermissionDenied
 
     def get_context_data(self, **kwargs):
         ctx = super(ProductCreateUpdateView, self).get_context_data(**kwargs)
@@ -270,7 +275,7 @@ class ProductDeleteView(generic.DeleteView):
         """
         product = super(ProductDeleteView, self).get_object(queryset)
         user = self.request.user
-        if user.is_staff or product.user_in_partner_users(user):
+        if user.is_staff or product.is_user_in_partners_users(user):
             return product
         else:
             raise PermissionDenied

oscar/test/factories.py

@@ -25,14 +25,15 @@ ProductAttributeValue = get_model('catalogue', 'ProductAttributeValue')
 
 
 def create_stockrecord(product=None, price_excl_tax=None, partner_sku=None,
-                       num_in_stock=None, partner_name="Dummy partner",
+                       num_in_stock=None, partner_name=u"Dummy partner",
                        currency=settings.OSCAR_DEFAULT_CURRENCY,
-                       partner_users=[]):
+                       partner_users=None):
     if product is None:
         product = create_product()
     partner, __ = Partner.objects.get_or_create(
         name=partner_name)
-    for user in partner_users:
+    if partner_users:
+        for user in partner_users:
             partner.users.add(user)
     if not price_excl_tax:
         price_excl_tax = D('9.99')
@@ -79,10 +80,11 @@ def create_product(upc=None, title=u"Dummy title",
 
     # Shortcut for creating stockrecord
     stockrecord_fields = [price, partner_sku, num_in_stock, partner_users]
-    if any([field is not None for field in stockrecord_fields):
+    if any([field is not None for field in stockrecord_fields]):
         create_stockrecord(
             product, price_excl_tax=price, num_in_stock=num_in_stock,
-            partner_users=partner_users, partner_sku=partner_sku)
+            partner_users=partner_users, partner_sku=partner_sku,
+            partner_name=partner)
     return product