From 2a8245233ae1aec88032f6af6150f4de7c436f2f Mon Sep 17 00:00:00 2001 From: Jori Lindell Date: Mon, 17 Nov 2025 18:11:30 +0200 Subject: [PATCH] Remove Guardian permissions when unit authorization is deleted When a unit authorization row is completely removed from the formset, the Guardian permission "unit:can_approve_reservation" was not being removed from the database, leaving orphaned permissions. This fix adds handling for deleted forms by: - Processing formset.deleted_forms to remove permissions for deleted authorizations - Adding DELETE check to skip deleted forms in the main processing loop --- respa_admin/views/resources.py | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/respa_admin/views/resources.py b/respa_admin/views/resources.py index 753fdbd8f..c73a57e1e 100644 --- a/respa_admin/views/resources.py +++ b/respa_admin/views/resources.py @@ -118,8 +118,17 @@ def post(self, request, *args, **kwargs): def forms_valid(self, unit_authorization_formset): unit_authorization_formset.instance = self.object + + # Handle deleted forms - remove permissions for deleted authorizations + for form in unit_authorization_formset.deleted_forms: + if form.cleaned_data.get("subject"): + remove_perm( + "unit:can_approve_reservation", self.object, form.cleaned_data["subject"] + ) + + # Handle existing and new forms for form in unit_authorization_formset.cleaned_data: - if "subject" in form and "level" in form: + if "subject" in form and "level" in form and not form.get("DELETE"): if form["can_approve_reservation"]: assign_perm( "unit:can_approve_reservation", self.object, form["subject"]