From 806a7f961de42a906a4be49b727ba5ce85001f15 Mon Sep 17 00:00:00 2001
From: Oliver Walters <oliver.henry.walters@gmail.com>
Date: Mon, 5 Oct 2020 22:57:05 +1100
Subject: [PATCH] Fixes for role permissions

- Fixed a strange interaction if multiple rulesets referred to the same models
- Order of operations was incorrect.
- Now is good? Yes!
---
 InvenTree/users/models.py | 24 +++++++++++++++++++-----
 1 file changed, 19 insertions(+), 5 deletions(-)

diff --git a/InvenTree/users/models.py b/InvenTree/users/models.py
index 09f2a046d1..5fe86e15fa 100644
--- a/InvenTree/users/models.py
+++ b/InvenTree/users/models.py
@@ -160,6 +160,15 @@ class RuleSet(models.Model):
 
     def save(self, *args, **kwargs):
 
+        # It does not make sense to be able to change / create something,
+        # but not be able to view it!
+
+        if self.can_add or self.can_change or self.can_delete:
+            self.can_view = True
+
+        if self.can_add or self.can_delete:
+            self.can_change = True
+
         super().save(*args, **kwargs)
 
     def get_models(self):
@@ -227,16 +236,13 @@ def update_group_roles(group, debug=False):
             if permission_string in permissions_to_delete:
                 permissions_to_delete.remove(permission_string)
 
-            if permission_string not in group_permissions:
-                permissions_to_add.add(permission_string)
+            permissions_to_add.add(permission_string)
 
         else:
 
             # A forbidden action will be ignored if we have already allowed it
             if permission_string not in permissions_to_add:
-
-                if permission_string in group_permissions:
-                    permissions_to_delete.add(permission_string)
+                permissions_to_delete.add(permission_string)
 
     # Get all the rulesets associated with this group
     for r in RuleSet.RULESET_CHOICES:
@@ -287,6 +293,10 @@ def update_group_roles(group, debug=False):
     # Add any required permissions to the group
     for perm in permissions_to_add:
         
+        # Ignore if permission is already in the group
+        if perm in group_permissions:
+            continue
+
         permission = get_permission_object(perm)
 
         group.permissions.add(permission)
@@ -297,6 +307,10 @@ def update_group_roles(group, debug=False):
     # Remove any extra permissions from the group
     for perm in permissions_to_delete:
 
+        # Ignore if the permission is not already assigned
+        if perm not in group_permissions:
+            continue
+
         permission = get_permission_object(perm)
 
         group.permissions.remove(permission)