feat: migrate billing.view permission to billing ownership

The permission model duplicated access granted by billing ownership.

TODO:

- migrate existing users with permissions to ownership model
- add UI to manage ownership

Fixes #17277

Author: nijel

ci/run-migrate

@@ -87,6 +87,8 @@ check
 ./manage.py shell -c 'from weblate.memory.models import Memory; from weblate.lang.models import Language; Memory.objects.create(source_language=Language.objects.get(code="en"), target_language=Language.objects.get(code="cs"), source="source"*1000, target="target"*1000, origin="origin"*1000)'
 check
 
+# TODO: Add users with billing permission
+
 # Add a pending unit
 semver_compare "$1" "<" "5.12"
 pending_migration_test=$?

weblate/auth/data.py

@@ -17,8 +17,6 @@
 SELECTION_ALL_PROTECTED = 4
 
 PERMISSIONS = (
-    # Translators: Permission name
-    ("billing.view", gettext_noop("View billing info")),
     # Translators: Permission name
     ("change.download", gettext_noop("Download changes")),
     # Translators: Permission name
@@ -152,8 +150,6 @@
     # Translators: Permission name
     ("componentlist.edit", gettext_noop("Manage component lists")),
     # Translators: Permission name
-    ("billing.manage", gettext_noop("Manage billing")),
-    # Translators: Permission name
     ("management.addons", gettext_noop("Manage site-wide add-ons")),
 )
 
@@ -260,7 +256,6 @@ def filter_perms(prefix: str, exclude: set | None = None):
         pgettext_noop("Access-control role", "Manage repository"),
         filter_perms("vcs.") | {"component.lock"},
     ),
-    (pgettext_noop("Access-control role", "Billing"), filter_perms("billing.")),
     (pgettext_noop("Access-control role", "Add new projects"), {"project.add"}),
 )
 
@@ -321,5 +316,4 @@ def filter_perms(prefix: str, exclude: set | None = None):
         "Per-project access-control team name", "Automatic translation"
     ): "Automatic translation",
     pgettext_noop("Per-project access-control team name", "VCS"): "Manage repository",
-    pgettext_noop("Per-project access-control team name", "Billing"): "Billing",
 }

weblate/auth/permissions.py

@@ -4,7 +4,7 @@
 
 from __future__ import annotations
 
-from typing import TYPE_CHECKING, cast
+from typing import TYPE_CHECKING
 
 from django.conf import settings
 from django.utils.translation import gettext
@@ -27,16 +27,13 @@
 if TYPE_CHECKING:
     from collections.abc import Callable
 
-    from django.db.models import Model
+    from django.db.models import Model, QuerySet
 
     from weblate.auth.models import Group, User
     from weblate.billing.models import Billing
     from weblate.checks.models import Check
     from weblate.memory.models import Memory
-    from weblate.trans.models import (
-        Comment,
-        Suggestion,
-    )
+    from weblate.trans.models import Comment, Suggestion
 
     from .results import PermissionResult
 
@@ -597,19 +594,23 @@ def check_team_edit_users(
     )
 
 
-@register_perm("billing.view")
+@register_perm("meta:billing.view")
 def check_billing_view(
     user: User, permission: str, obj: Billing | Project
 ) -> bool | PermissionResult:
+    if user.is_superuser:
+        return True
+
+    billings: list[Billing] | QuerySet[Billing]
     # We check Billing by hasattr to avoid importing optional Django app. To make type
     # checker understand this, there is negative check on Project and cast in the
     # check_permission call.
     if hasattr(obj, "all_projects") and not isinstance(obj, Project):
-        if user.has_perm("billing.manage") or obj.owners.filter(pk=user.pk).exists():
-            return True
-        # This is a billing object
-        return any(check_permission(user, permission, prj) for prj in obj.all_projects)
-    return check_permission(user, permission, cast("Project", obj))
+        billings = [obj]
+    else:
+        billings = obj.billings
+
+    return any(billing.owners.filter(pk=user.pk).exists() for billing in billings)
 
 
 @register_perm("billing:project.permissions")

weblate/billing/migrations/0007_migrate_owners.py

@@ -0,0 +1,67 @@
+# Copyright © Michal Čihař <michal@weblate.org>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Generated by Django 5.2.10 on 2026-01-22 11:46
+
+from django.db import migrations
+
+from weblate.auth.data import (
+    SELECTION_ALL,
+    SELECTION_ALL_PROTECTED,
+    SELECTION_ALL_PUBLIC,
+    SELECTION_COMPONENT_LIST,
+    SELECTION_MANUAL,
+)
+
+# Copied from weblate/trans/models/project.py
+ACCESS_PUBLIC = 0
+ACCESS_PROTECTED = 1
+
+
+def migrate_owners(apps, schema_editor) -> None:
+    User = apps.get_model("weblate_auth", "User")
+    Project = apps.get_model("trans", "Project")
+
+    all_projects = Project.objects.all()
+    all_protected_projects = Project.objects.filter(access_control=ACCESS_PROTECTED)
+    all_public_projects = Project.objects.filter(access_control=ACCESS_PUBLIC)
+
+    projects_cache = {}
+
+    for user in User.objects.filter(
+        groups__roles__permissions__codename="billing.view"
+    ).prefetch_related("groups"):
+        for group in user.groups:
+            # Iterate over projects
+            if group.id in projects_cache:
+                projects = projects_cache[group.id]
+            else:
+                if group.project_selection == SELECTION_COMPONENT_LIST:
+                    continue
+                if group.project_selection == SELECTION_ALL:
+                    projects = all_projects
+                elif group.project_selection == SELECTION_ALL_PROTECTED:
+                    projects = all_protected_projects
+                elif group.project_selection == SELECTION_ALL_PUBLIC:
+                    projects = all_public_projects
+                elif group.project_selection == SELECTION_MANUAL:
+                    projects = group.projects.all()
+                else:
+                    msg = f"Unsupported {group.project_selection=}"
+                    raise ValueError(msg)
+                projects_cache[group.id] = projects
+
+            for project in projects:
+                for billing in project.billing_set.all():
+                    billing.owners.add(user)
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("billing", "0006_billinglog_details_alter_billinglog_event"),
+    ]
+
+    operations = [
+        migrations.RunPython(migrate_owners, migrations.RunPython.noop, elidable=True),
+    ]

weblate/billing/models.py

@@ -120,14 +120,10 @@ def get_valid(self):
 
     def for_user(self, user: User):
         if user.has_perm("billing.manage"):
-            return self.all().order_by("state")
-        return (
-            self.filter(
-                Q(projects__in=user.projects_with_perm("billing.view")) | Q(owners=user)
-            )
-            .distinct()
-            .order_by("state")
-        )
+            billings = self.all()
+        else:
+            billings = self.filter(owners=user).distinct()
+        return billings.order_by("state")
 
     def for_user_within_limits(self, user: User):
         """Return billings for the given user which are valid and within project creation limits."""
@@ -471,10 +467,7 @@ def is_active(self):
         return self.state in Billing.ACTIVE_STATES
 
     def get_notify_users(self):
-        users = self.owners.distinct()
-        for project in self.projects.iterator():
-            users |= User.objects.having_perm("billing.view", project)
-        return users.exclude(is_superuser=True)
+        return self.owners.exclude(is_superuser=True).distinct()
 
     def _get_libre_checklist(self):
         message = ngettext(
@@ -717,12 +710,6 @@ def record_project_bill(
     if isinstance(instance, Component):
         instance = instance.project
 
-    # Sync billing access upon project removal, otherwise users will lose access
-    if isinstance(instance, Project):
-        users = User.objects.having_perm("billing.view", instance)
-        for billing in instance.billing_set.all():
-            billing.owners.add(*users)
-
     # Collect billings to update for delete_project_bill
     instance.billings_to_update = list(
         instance.billing_set.values_list("pk", flat=True)

weblate/billing/views.py

@@ -51,7 +51,7 @@ def download_invoice(request: AuthenticatedHttpRequest, pk) -> HttpResponse:
         msg = "No reference!"
         raise Http404(msg)
 
-    if not request.user.has_perm("billing.view", invoice.billing):
+    if not request.user.has_perm("meta:billing.view", invoice.billing):
         raise PermissionDenied
 
     if not invoice.filename_valid:
@@ -182,7 +182,7 @@ def overview(request: AuthenticatedHttpRequest) -> HttpResponse:
 def detail(request: AuthenticatedHttpRequest, pk) -> HttpResponse:
     billing = get_object_or_404(Billing, pk=pk)
 
-    if not request.user.has_perm("billing.view", billing):
+    if not request.user.has_perm("meta:billing.view", billing):
         raise PermissionDenied
 
     if request.method == "POST":

weblate/templates/snippets/info.html

@@ -27,7 +27,7 @@ <h4 class="card-title">{% translate "Summary" %}</h4>
               </tr>
             {% endif %}
 
-            {% perm 'billing.view' project as user_can_view_billing %}
+            {% perm 'meta:billing.view' project as user_can_view_billing %}
 
             {% if user_can_view_billing %}
               {% if project.billings %}

weblate/templates/snippets/project/state.html

@@ -5,7 +5,7 @@
   {% show_message "warning" msg %}
 {% endif %}
 
-{% perm 'billing.view' object as user_can_view_billing %}
+{% perm 'meta:billing.view' object as user_can_view_billing %}
 
 {% if object.is_libre_trial %}
   {% include "snippets/project/billing-libre-trial.html" %}