From b775dd86e5bbf99be5081fbefddfd07df2ce0610 Mon Sep 17 00:00:00 2001
From: aastabk <aastabk@stud.ntnu.no>
Date: Mon, 14 Jul 2025 08:05:57 +0200
Subject: [PATCH 1/5] Only genrequest members can mark an order as seen

---
 src/staff/tables.py                           | 42 ++++++++++++++++---
 .../staff/components/seen_column.html         |  2 +
 src/staff/templates/staff/dashboard.html      |  2 +-
 src/staff/templatetags/order_tags.py          |  9 +++-
 4 files changed, 46 insertions(+), 9 deletions(-)

diff --git a/src/staff/tables.py b/src/staff/tables.py
index a9ce9222..4926c7ac 100644
--- a/src/staff/tables.py
+++ b/src/staff/tables.py
@@ -3,8 +3,12 @@
 import django_tables2 as tables
 from django.db.models import IntegerField
 from django.db.models.functions import Cast
+from django.middleware.csrf import get_token
+from django.urls import reverse
+from django.utils.html import format_html
 from django.utils.safestring import mark_safe
 
+from capps.users.models import User
 from genlab_bestilling.models import (
     AnalysisOrder,
     EquipmentOrder,
@@ -409,13 +413,39 @@ class Meta:
         template_name = "django_tables2/tailwind_inner.html"
 
 
+class UserAwareTemplateColumn(tables.TemplateColumn):
+    def __init__(self, *args, user: User = None, **kwargs) -> str:
+        self.user = user
+        super().__init__(*args, **kwargs)
+
+    def render(self, record: Any, table: tables.Table, **kwargs) -> str:
+        context = self.get_context(record, table, **kwargs)
+        context["user"] = self.user
+        return self.template.render(context)
+
+
 class NewUnseenOrderTable(StaffIDMixinTable):
-    seen = tables.TemplateColumn(
-        orderable=False,
-        verbose_name="Seen",
-        template_name="staff/components/seen_column.html",
-        empty_values=(),
-    )
+    seen = tables.Column(verbose_name="", orderable=False, empty_values=())
+
+    def __init__(self, *args, user: User = None, request: Any = None, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.user = user
+        self.request = request
+
+    def render_seen(self, record: Order) -> str:
+        if record.genrequest.responsible_staff.filter(id=self.user.id).exists():
+            return format_html(
+                """
+                <form method="post" action="{}">
+                    <input type="hidden" name="csrfmiddlewaretoken" value="{}">
+                    <input type="hidden" name="return_to" value="dashboard">
+                    <button class="btn bg-secondary text-white" style="background-color: darkgoldenrod; height: auto;" type="submit">Mark as seen</button>
+                </form>
+                """,  # noqa: E501
+                reverse("staff:mark-as-seen", kwargs={"pk": record.pk}),
+                get_token(self.request),
+            )
+        return ""
 
     description = tables.Column(
         accessor="genrequest__name",
diff --git a/src/staff/templates/staff/components/seen_column.html b/src/staff/templates/staff/components/seen_column.html
index 4e318c3c..455b01c1 100644
--- a/src/staff/templates/staff/components/seen_column.html
+++ b/src/staff/templates/staff/components/seen_column.html
@@ -1,5 +1,7 @@
+{% if user %}
 <form method="post" action="{% url 'staff:mark-as-seen' pk=record.id %}">
   {% csrf_token %}
   <input type="hidden" name="return_to" value="dashboard">
   <button class="btn bg-secondary text-white" style="background-color: darkgoldenrod; height: auto;" type="submit">Mark as seen</button>
 </form>
+{% endif %}
diff --git a/src/staff/templates/staff/dashboard.html b/src/staff/templates/staff/dashboard.html
index b57cc296..f0fe9be0 100644
--- a/src/staff/templates/staff/dashboard.html
+++ b/src/staff/templates/staff/dashboard.html
@@ -24,7 +24,7 @@
   <div class="grid grid-cols-1 xl:grid-cols-2 gap-8">
     <div class="flex flex-col gap-8">
       {% urgent_orders_table area=area %}
-      {% new_unseen_orders_table area=area %}
+      {% new_unseen_orders_table area=area user=user %}
       {% new_seen_orders_table area=area %}
     </div>
 
diff --git a/src/staff/templatetags/order_tags.py b/src/staff/templatetags/order_tags.py
index 77f63f48..5ebc8331 100644
--- a/src/staff/templatetags/order_tags.py
+++ b/src/staff/templatetags/order_tags.py
@@ -1,6 +1,7 @@
 from django import template
 from django.db import models
 
+from capps.users.models import User
 from genlab_bestilling.models import Area, Order
 
 from ..tables import (
@@ -86,7 +87,9 @@ def new_seen_orders_table(context: dict, area: Area | None = None) -> dict:
 
 
 @register.inclusion_tag("staff/components/order_table.html", takes_context=True)
-def new_unseen_orders_table(context: dict, area: Area | None = None) -> dict:
+def new_unseen_orders_table(
+    context: dict, area: Area | None = None, user: User | None = None
+) -> dict:
     new_orders = (
         Order.objects.filter(status=Order.OrderStatus.DELIVERED, is_seen=False)
         .exclude(is_urgent=True)
@@ -113,7 +116,9 @@ def new_unseen_orders_table(context: dict, area: Area | None = None) -> dict:
 
     return {
         "title": "New unseen orders",
-        "table": NewUnseenOrderTable(new_orders),
+        "table": NewUnseenOrderTable(
+            new_orders, user=user, request=context.get("request")
+        ),
         "count": new_orders.count(),
         "request": context.get("request"),
     }

From f1c215d119616e7fcfb9f99254ad4ca5b9d51c15 Mon Sep 17 00:00:00 2001
From: aastabk <aastabk@stud.ntnu.no>
Date: Mon, 14 Jul 2025 09:05:39 +0200
Subject: [PATCH 2/5] Move logic closer to frontend

---
 src/staff/tables.py                           | 43 ++++++-------------
 .../staff/components/seen_column.html         | 10 +++--
 src/staff/templates/staff/dashboard.html      |  2 +-
 src/staff/templatetags/order_tags.py          | 15 ++++---
 4 files changed, 31 insertions(+), 39 deletions(-)

diff --git a/src/staff/tables.py b/src/staff/tables.py
index 4926c7ac..046fa182 100644
--- a/src/staff/tables.py
+++ b/src/staff/tables.py
@@ -3,9 +3,7 @@
 import django_tables2 as tables
 from django.db.models import IntegerField
 from django.db.models.functions import Cast
-from django.middleware.csrf import get_token
-from django.urls import reverse
-from django.utils.html import format_html
+from django.template.loader import render_to_string
 from django.utils.safestring import mark_safe
 
 from capps.users.models import User
@@ -413,39 +411,26 @@ class Meta:
         template_name = "django_tables2/tailwind_inner.html"
 
 
-class UserAwareTemplateColumn(tables.TemplateColumn):
-    def __init__(self, *args, user: User = None, **kwargs) -> str:
-        self.user = user
-        super().__init__(*args, **kwargs)
-
-    def render(self, record: Any, table: tables.Table, **kwargs) -> str:
-        context = self.get_context(record, table, **kwargs)
-        context["user"] = self.user
-        return self.template.render(context)
-
-
 class NewUnseenOrderTable(StaffIDMixinTable):
-    seen = tables.Column(verbose_name="", orderable=False, empty_values=())
+    seen = tables.TemplateColumn(
+        verbose_name="",
+        orderable=False,
+        empty_values=(),
+        template_name="staff/components/seen_column.html",
+    )
 
     def __init__(self, *args, user: User = None, request: Any = None, **kwargs):
         super().__init__(*args, **kwargs)
         self.user = user
-        self.request = request
 
     def render_seen(self, record: Order) -> str:
-        if record.genrequest.responsible_staff.filter(id=self.user.id).exists():
-            return format_html(
-                """
-                <form method="post" action="{}">
-                    <input type="hidden" name="csrfmiddlewaretoken" value="{}">
-                    <input type="hidden" name="return_to" value="dashboard">
-                    <button class="btn bg-secondary text-white" style="background-color: darkgoldenrod; height: auto;" type="submit">Mark as seen</button>
-                </form>
-                """,  # noqa: E501
-                reverse("staff:mark-as-seen", kwargs={"pk": record.pk}),
-                get_token(self.request),
-            )
-        return ""
+        return render_to_string(
+            "staff/components/seen_column.html",
+            {
+                "record": record,
+                "user": self.user,  # manually pass user into template context
+            },
+        )
 
     description = tables.Column(
         accessor="genrequest__name",
diff --git a/src/staff/templates/staff/components/seen_column.html b/src/staff/templates/staff/components/seen_column.html
index 455b01c1..229ba084 100644
--- a/src/staff/templates/staff/components/seen_column.html
+++ b/src/staff/templates/staff/components/seen_column.html
@@ -1,7 +1,11 @@
-{% if user %}
+{% load order_tags %}
+
+{% if record.genrequest.responsible_staff.all|is_responsible:user %}
 <form method="post" action="{% url 'staff:mark-as-seen' pk=record.id %}">
   {% csrf_token %}
   <input type="hidden" name="return_to" value="dashboard">
-  <button class="btn bg-secondary text-white" style="background-color: darkgoldenrod; height: auto;" type="submit">Mark as seen</button>
+  <button class="btn bg-secondary text-white" style="background-color: darkgoldenrod; height: auto;" type="submit">
+    Mark as seen
+  </button>
 </form>
-{% endif %}
+{% endif %}
\ No newline at end of file
diff --git a/src/staff/templates/staff/dashboard.html b/src/staff/templates/staff/dashboard.html
index f0fe9be0..b57cc296 100644
--- a/src/staff/templates/staff/dashboard.html
+++ b/src/staff/templates/staff/dashboard.html
@@ -24,7 +24,7 @@
   <div class="grid grid-cols-1 xl:grid-cols-2 gap-8">
     <div class="flex flex-col gap-8">
       {% urgent_orders_table area=area %}
-      {% new_unseen_orders_table area=area user=user %}
+      {% new_unseen_orders_table area=area %}
       {% new_seen_orders_table area=area %}
     </div>
 
diff --git a/src/staff/templatetags/order_tags.py b/src/staff/templatetags/order_tags.py
index 5ebc8331..97216f2a 100644
--- a/src/staff/templatetags/order_tags.py
+++ b/src/staff/templatetags/order_tags.py
@@ -15,6 +15,13 @@
 register = template.Library()
 
 
+@register.filter
+def is_responsible(staff_queryset: models.QuerySet, user: User) -> bool:
+    print(staff_queryset)
+    print(user)
+    return staff_queryset.filter(id=user.id).exists()
+
+
 @register.inclusion_tag("staff/components/order_table.html", takes_context=True)
 def urgent_orders_table(context: dict, area: Area | None = None) -> dict:
     urgent_orders = (
@@ -87,9 +94,7 @@ def new_seen_orders_table(context: dict, area: Area | None = None) -> dict:
 
 
 @register.inclusion_tag("staff/components/order_table.html", takes_context=True)
-def new_unseen_orders_table(
-    context: dict, area: Area | None = None, user: User | None = None
-) -> dict:
+def new_unseen_orders_table(context: dict, area: Area | None = None) -> dict:
     new_orders = (
         Order.objects.filter(status=Order.OrderStatus.DELIVERED, is_seen=False)
         .exclude(is_urgent=True)
@@ -116,9 +121,7 @@ def new_unseen_orders_table(
 
     return {
         "title": "New unseen orders",
-        "table": NewUnseenOrderTable(
-            new_orders, user=user, request=context.get("request")
-        ),
+        "table": NewUnseenOrderTable(new_orders, user=context.get("request").user),
         "count": new_orders.count(),
         "request": context.get("request"),
     }

From 2a20d25b6102bcd2609d586a670757891d093c50 Mon Sep 17 00:00:00 2001
From: aastabk <aastabk@stud.ntnu.no>
Date: Mon, 14 Jul 2025 10:06:04 +0200
Subject: [PATCH 3/5] Removed unnecessary code, checks buttons everywhere,
 added check in post.

---
 src/staff/tables.py                               | 15 ---------------
 .../templates/staff/analysisorder_detail.html     |  3 ++-
 .../templates/staff/components/seen_column.html   |  2 +-
 .../templates/staff/extractionorder_detail.html   |  3 ++-
 src/staff/templatetags/order_tags.py              |  2 +-
 src/staff/views.py                                | 11 +++++++++++
 6 files changed, 17 insertions(+), 19 deletions(-)

diff --git a/src/staff/tables.py b/src/staff/tables.py
index 046fa182..ff700ce7 100644
--- a/src/staff/tables.py
+++ b/src/staff/tables.py
@@ -3,10 +3,8 @@
 import django_tables2 as tables
 from django.db.models import IntegerField
 from django.db.models.functions import Cast
-from django.template.loader import render_to_string
 from django.utils.safestring import mark_safe
 
-from capps.users.models import User
 from genlab_bestilling.models import (
     AnalysisOrder,
     EquipmentOrder,
@@ -419,19 +417,6 @@ class NewUnseenOrderTable(StaffIDMixinTable):
         template_name="staff/components/seen_column.html",
     )
 
-    def __init__(self, *args, user: User = None, request: Any = None, **kwargs):
-        super().__init__(*args, **kwargs)
-        self.user = user
-
-    def render_seen(self, record: Order) -> str:
-        return render_to_string(
-            "staff/components/seen_column.html",
-            {
-                "record": record,
-                "user": self.user,  # manually pass user into template context
-            },
-        )
-
     description = tables.Column(
         accessor="genrequest__name",
         verbose_name="Description",
diff --git a/src/staff/templates/staff/analysisorder_detail.html b/src/staff/templates/staff/analysisorder_detail.html
index fc2ae045..a31480dd 100644
--- a/src/staff/templates/staff/analysisorder_detail.html
+++ b/src/staff/templates/staff/analysisorder_detail.html
@@ -1,5 +1,6 @@
 {% extends "staff/base.html" %}
 {% load i18n %}
+{% load order_tags %}
 
 
 {% block content %}
@@ -18,7 +19,7 @@ <h3 class="text-4xl mb-5">Order {{ object }}</h3>
 
         <div class="ml-auto"></div>
 
-        {% if not object.is_seen %}
+        {% if object.genrequest.responsible_staff.all|is_responsible:request.user and not object.is_seen %}
             <form method="post" action="{% url 'staff:mark-as-seen' pk=object.id %}">
                 {% csrf_token %}
                 <button class="btn bg-secondary text-white" style="background-color: darkgoldenrod" type="submit">Mark as seen</button>
diff --git a/src/staff/templates/staff/components/seen_column.html b/src/staff/templates/staff/components/seen_column.html
index 229ba084..7a65ad7f 100644
--- a/src/staff/templates/staff/components/seen_column.html
+++ b/src/staff/templates/staff/components/seen_column.html
@@ -1,6 +1,6 @@
 {% load order_tags %}
 
-{% if record.genrequest.responsible_staff.all|is_responsible:user %}
+{% if record.genrequest.responsible_staff.all|is_responsible:request.user %}
 <form method="post" action="{% url 'staff:mark-as-seen' pk=record.id %}">
   {% csrf_token %}
   <input type="hidden" name="return_to" value="dashboard">
diff --git a/src/staff/templates/staff/extractionorder_detail.html b/src/staff/templates/staff/extractionorder_detail.html
index cf21b4c0..a51adfb6 100644
--- a/src/staff/templates/staff/extractionorder_detail.html
+++ b/src/staff/templates/staff/extractionorder_detail.html
@@ -1,5 +1,6 @@
 {% extends "staff/base.html" %}
 {% load i18n %}
+{% load order_tags %}
 
 
 {% block content %}
@@ -38,7 +39,7 @@ <h3 class="text-4xl mb-5">Order {{ object }}</h3>
 
         <div class="ml-auto"></div>
 
-        {% if not object.is_seen %}
+        {% if object.genrequest.responsible_staff.all|is_responsible:request.user and not object.is_seen %}
             <form method="post" action="{% url 'staff:mark-as-seen' pk=object.id %}">
                 {% csrf_token %}
                 <button class="btn bg-secondary text-white" style="background-color: darkgoldenrod" type="submit">Mark as seen</button>
diff --git a/src/staff/templatetags/order_tags.py b/src/staff/templatetags/order_tags.py
index 97216f2a..cf7d682a 100644
--- a/src/staff/templatetags/order_tags.py
+++ b/src/staff/templatetags/order_tags.py
@@ -121,7 +121,7 @@ def new_unseen_orders_table(context: dict, area: Area | None = None) -> dict:
 
     return {
         "title": "New unseen orders",
-        "table": NewUnseenOrderTable(new_orders, user=context.get("request").user),
+        "table": NewUnseenOrderTable(new_orders),
         "count": new_orders.count(),
         "request": context.get("request"),
     }
diff --git a/src/staff/views.py b/src/staff/views.py
index 7b44831f..0052ea52 100644
--- a/src/staff/views.py
+++ b/src/staff/views.py
@@ -190,6 +190,17 @@ def get_object(self) -> Order:
     def post(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
         try:
             order = self.get_object()
+
+            if not order.genrequest.responsible_staff.filter(
+                id=request.user.id
+            ).exists():
+                messages.error(
+                    request, _("You are not authorized to mark this order as seen.")
+                )
+                return HttpResponseRedirect(
+                    self.get_return_url(request.POST.get("return_to"))
+                )
+
             order.toggle_seen()
             messages.success(request, _("Order is marked as seen"))
         except Exception as e:

From 24de91e326aba341137e7f60ab92d77b9d960d76 Mon Sep 17 00:00:00 2001
From: aastabk <aastabk@stud.ntnu.no>
Date: Mon, 14 Jul 2025 10:07:12 +0200
Subject: [PATCH 4/5] Removed prints

---
 src/staff/templatetags/order_tags.py | 2 --
 1 file changed, 2 deletions(-)

diff --git a/src/staff/templatetags/order_tags.py b/src/staff/templatetags/order_tags.py
index cf7d682a..54cab501 100644
--- a/src/staff/templatetags/order_tags.py
+++ b/src/staff/templatetags/order_tags.py
@@ -17,8 +17,6 @@
 
 @register.filter
 def is_responsible(staff_queryset: models.QuerySet, user: User) -> bool:
-    print(staff_queryset)
-    print(user)
     return staff_queryset.filter(id=user.id).exists()
 
 

From 68b75a29f8dafb4db78a642b035af46a517291bb Mon Sep 17 00:00:00 2001
From: aastabk <aastabk@stud.ntnu.no>
Date: Mon, 14 Jul 2025 10:08:57 +0200
Subject: [PATCH 5/5] Fixed linter error

---
 src/staff/templates/staff/components/seen_column.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/staff/templates/staff/components/seen_column.html b/src/staff/templates/staff/components/seen_column.html
index 7a65ad7f..8d0329b3 100644
--- a/src/staff/templates/staff/components/seen_column.html
+++ b/src/staff/templates/staff/components/seen_column.html
@@ -8,4 +8,4 @@
     Mark as seen
   </button>
 </form>
-{% endif %}
\ No newline at end of file
+{% endif %}