Bump pillow from 6.2.1 to 7.1.0

.flowconfig

@@ -0,0 +1,13 @@
+[ignore]
+
+[include]
+
+[libs]
+
+[lints]
+
+[options]
+module.system.node.allow_root_relative=true
+module.system.node.root_relative_dirname=./huxley/www/js
+
+[strict]

.gitignore

@@ -40,3 +40,5 @@ test_position_paper.doc
 
 env/
 .vscode/
+
+huxley/service.json

.travis.yml

@@ -3,11 +3,11 @@ python:
     - "3.6"
 install:
     - pip install -r requirements.txt
-    - nvm install 6.4
-    - nvm use 6.4
+    - nvm install 12.19.0
+    - nvm use 12.19.0
     - npm install
 before_script:
     - python manage.py migrate
 script:
     - python manage.py test
-    - npm test
+    - npm run flow

docs/tutorials/setup/tutorial.md

@@ -181,7 +181,7 @@ var TodoApp = React.createClass({
     }
 });
 
-module.exports = TodoApp;
+export default TodoApp;
 ```
 
 Then in www.html change the line `<p>Hello, world!</p>` to `<div id="main"></div>`

huxley/api/permissions.py

@@ -120,7 +120,8 @@ def has_permission(self, request, view):
         return (
             user_is_advisor(request, view, assignment.registration.school_id)
             or user_is_chair(request, view, assignment.committee_id) or
-            user_is_delegate(request, view, assignment_id, 'assignment'))
+            user_is_delegate(request, view, assignment_id, 'assignment') or
+            user_is_in_committee(request, view, assignment.committee_id))
 
 
 class AssignmentListPermission(permissions.BasePermission):
@@ -132,10 +133,31 @@ def has_permission(self, request, view):
             school_id = request.query_params.get('school_id', -1)
             committee_id = request.query_params.get('committee_id', -1)
             return (user_is_chair(request, view, committee_id) or
-                    user_is_advisor(request, view, school_id))
+                    user_is_advisor(request, view, school_id) or
+                    user_is_in_committee(request, view, committee_id))
 
         return False
 
+class CommitteeDetailPermission(permissions.BasePermission):
+    '''Accept requests to retrieve a committee from any user. 
+       Only allow superusers and chairs to update committees.'''
+
+    def has_permission(self, request, view):
+        if request.user.is_superuser:
+            return True
+
+        committee_id = view.kwargs.get('pk', None)
+        committee = Committee.objects.get(id=committee_id)
+        user = request.user
+        method = request.method
+
+        if method != 'GET':
+            return user_is_chair(request, view,
+                                   committee_id)
+
+        return True
+
+
 
 class DelegateDetailPermission(permissions.BasePermission):
     '''Accept requests to retrieve, update, and destroy a delegate from the
@@ -185,7 +207,8 @@ def has_permission(self, request, view):
             school_id = request.query_params.get('school_id', -1)
             committee_id = request.query_params.get('committee_id', -1)
             return (user_is_chair(request, view, committee_id) or
-                    user_is_advisor(request, view, school_id))
+                    user_is_advisor(request, view, school_id) or
+                    user_is_delegate(request, view, committee_id, 'committee'))
 
         if method == 'POST':
             return user_is_advisor(request, view, request.data['school'])
@@ -331,6 +354,14 @@ def has_permission(self, request, view):
 
         return False
 
+class NotePermission(permissions.BasePermission):
+    '''Accept requests to view Notes when user is not an advisor'''
+    def has_permission(self, request, view):
+        user = request.user
+        if user.is_authenticated and not user.is_advisor():
+            return True
+        return False
+
 
 def user_is_advisor(request, view, school_id):
     user = request.user
@@ -351,7 +382,15 @@ def user_is_delegate(request, view, target_id, field=None):
     if not user.is_authenticated or not user.is_delegate():
         return False
 
-    if field:
+    if field and field != 'committee':
         return getattr(user.delegate, field + '_id', -1) == int(target_id)
+    elif field == 'committee':
+        return getattr(getattr(user.delegate, 'assignment', -1), 'committee_id', -1) == int(target_id)
 
     return user.delegate_id == int(target_id)
+
+def user_is_in_committee(request, view, committee_id):
+    user = request.user
+    if not user.is_authenticated or not user.is_delegate() or not user.delegate:
+        return False
+    return user.delegate.assignment.committee_id == int(committee_id)

huxley/api/serializers/__init__.py

@@ -12,3 +12,4 @@
 from .position_paper import PositionPaperSerializer
 from .rubric import RubricSerializer
 from .secretariat_member import SecretariatMemberSerializer
+from .note import NoteSerializer

huxley/api/serializers/committee.py

@@ -17,4 +17,6 @@ class Meta:
                   'full_name',
                   'delegation_size',
                   'rubric',
-                  'special', )
+                  'special',
+                  'zoom_link',
+                  'notes_activated')

huxley/api/serializers/note.py

@@ -0,0 +1,16 @@
+# Copyright (c) 2011-2020 Berkeley Model United Nations. All rights reserved.
+# Use of this source code is governed by a BSD License (see LICENSE).
+
+from rest_framework import serializers
+
+from huxley.core.models import Note
+
+class TimestampField(serializers.ReadOnlyField):
+    def to_representation(self, value):
+        return value.timestamp.timestamp()
+
+class NoteSerializer(serializers.ModelSerializer):
+    timestamp = TimestampField(source='*')
+    class Meta:
+        model = Note
+        fields = ('id', 'is_chair', 'sender', 'recipient', 'msg', 'timestamp')

huxley/api/tests/test_committee.py

@@ -1,6 +1,6 @@
 # Copyright (c) 2011-2015 Berkeley Model United Nations. All rights reserved.
 # Use of this source code is governed by a BSD License (see LICENSE).
-
+from huxley.accounts.models import User
 from huxley.api import tests
 from huxley.api.tests import auto
 from huxley.utils.test import models
@@ -22,57 +22,141 @@ class CommitteeDetailPutTestCase(tests.UpdateAPITestCase):
     params = {'name': 'DISC', 'special': True}
 
     def setUp(self):
-        self.committee = models.new_committee()
+        self.chair = models.new_user(username='chair',
+                                     password='chair',
+                                     user_type=User.TYPE_CHAIR)
+        self.committee = models.new_committee(user=self.chair)
 
     def test_anonymous_user(self):
         '''Unauthenticated users shouldn't be able to update committees.'''
         response = self.get_response(self.committee.id, params=self.params)
-        self.assertMethodNotAllowed(response, 'PUT')
+        self.assertNotAuthenticated(response)
 
-    def test_authenticated_user(self):
-        '''Authenticated users shouldn't be able to update committees.'''
-        models.new_user(username='user', password='user')
-        self.client.login(username='user', password='user')
+    def test_delegate(self):
+        '''Delegates shouldn't be able to update committees.'''
+        models.new_user(username='delegate',
+                        password='user',
+                        user_type=User.TYPE_DELEGATE)
+        self.client.login(username='delegate', password='user')
+
+        response = self.get_response(self.committee.id, params=self.params)
+        self.assertPermissionDenied(response)
+
+    def test_advisor(self):
+        '''Advisors shouldn't be able to update committees.'''
+        models.new_user(username='advisor',
+                        password='user',
+                        user_type=User.TYPE_ADVISOR)
+        self.client.login(username='advisor', password='user')
+
+        response = self.get_response(self.committee.id, params=self.params)
+        self.assertPermissionDenied(response)
+
+    def test_chair(self):
+        '''Chairs should be able to update committees.'''
+        self.client.login(username='chair', password='chair')
 
         response = self.get_response(self.committee.id, params=self.params)
-        self.assertMethodNotAllowed(response, 'PUT')
+        response.data.pop('rubric')
+        self.assertEqual(
+            response.data, {
+                'id': self.committee.id,
+                'name': 'DISC',
+                'full_name': self.committee.full_name,
+                'delegation_size': self.committee.delegation_size,
+                'special': True,
+                'notes_activated': self.committee.notes_activated,
+                'zoom_link': self.committee.zoom_link
+            })
 
     def test_superuser(self):
         '''Superusers shouldn't be able to update committees.'''
         models.new_superuser(username='user', password='user')
         self.client.login(username='user', password='user')
 
         response = self.get_response(self.committee.id, params=self.params)
-        self.assertMethodNotAllowed(response, 'PUT')
+        response.data.pop('rubric')
+        self.assertEqual(
+            response.data, {
+                'id': self.committee.id,
+                'name': 'DISC',
+                'full_name': self.committee.full_name,
+                'delegation_size': self.committee.delegation_size,
+                'special': True,
+                'notes_activated': self.committee.notes_activated,
+                'zoom_link': self.committee.zoom_link
+            })
 
 
 class CommitteeDetailPatchTestCase(tests.PartialUpdateAPITestCase):
     url_name = 'api:committee_detail'
     params = {'name': 'DISC', 'special': True}
 
     def setUp(self):
-        self.committee = models.new_committee()
+        self.chair = models.new_user(username='chair',
+                                     password='chair',
+                                     user_type=User.TYPE_CHAIR)
+        self.committee = models.new_committee(user=self.chair)
 
     def test_anonymous_user(self):
         '''Unauthenticated users shouldn't be able to update committees.'''
         response = self.get_response(self.committee.id, params=self.params)
-        self.assertMethodNotAllowed(response, 'PATCH')
+        self.assertNotAuthenticated(response)
 
-    def test_authenticated_user(self):
-        '''Authenticated users shouldn't be able to update committees.'''
-        models.new_user(username='user', password='user')
-        self.client.login(username='user', password='user')
+    def test_delegate(self):
+        '''Delegates shouldn't be able to update committees.'''
+        models.new_user(username='delegate',
+                        password='user',
+                        user_type=User.TYPE_DELEGATE)
+        self.client.login(username='delegate', password='user')
+
+        response = self.get_response(self.committee.id, params=self.params)
+        self.assertPermissionDenied(response)
+
+    def test_advisor(self):
+        '''Advisors shouldn't be able to update committees.'''
+        models.new_user(username='advisor',
+                        password='user',
+                        user_type=User.TYPE_ADVISOR)
+        self.client.login(username='advisor', password='user')
+
+        response = self.get_response(self.committee.id, params=self.params)
+        self.assertPermissionDenied(response)
+
+    def test_chair(self):
+        '''Chairs should be able to update committees.'''
+        self.client.login(username='chair', password='chair')
 
         response = self.get_response(self.committee.id, params=self.params)
-        self.assertMethodNotAllowed(response, 'PATCH')
+        response.data.pop('rubric')
+        self.assertEqual(
+            response.data, {
+                'id': self.committee.id,
+                'name': 'DISC',
+                'full_name': self.committee.full_name,
+                'delegation_size': self.committee.delegation_size,
+                'special': True,
+                'notes_activated': self.committee.notes_activated,
+                'zoom_link': self.committee.zoom_link
+            })
 
     def test_superuser(self):
         '''Superusers shouldn't be able to update committees.'''
         models.new_superuser(username='user', password='user')
         self.client.login(username='user', password='user')
 
         response = self.get_response(self.committee.id, params=self.params)
-        self.assertMethodNotAllowed(response, 'PATCH')
+        response.data.pop('rubric')
+        self.assertEqual(
+            response.data, {
+                'id': self.committee.id,
+                'name': 'DISC',
+                'full_name': self.committee.full_name,
+                'delegation_size': self.committee.delegation_size,
+                'special': True,
+                'notes_activated': self.committee.notes_activated,
+                'zoom_link': self.committee.zoom_link
+            })
 
 
 class CommitteeDetailDeleteTestCase(auto.DestroyAPIAutoTestCase):
@@ -84,12 +168,12 @@ def get_test_object(cls):
 
     def test_anonymous_user(self):
         '''Anonymous users cannot delete committees.'''
-        self.do_test(expected_error=auto.EXP_DELETE_NOT_ALLOWED)
+        self.do_test(expected_error=auto.EXP_NOT_AUTHENTICATED)
 
     def test_authenticated_user(self):
         '''Authenticated users cannot delete committees.'''
         self.as_default_user().do_test(
-            expected_error=auto.EXP_DELETE_NOT_ALLOWED)
+            expected_error=auto.EXP_PERMISSION_DENIED)
 
     def test_superuser(self):
         '''Superusers cannot delete committees.'''
@@ -107,24 +191,32 @@ def test_anonymous_user(self):
         response = self.get_response()
         for r in response.data:
             r.pop('rubric')
-        self.assertEqual(response.data, [
-            {'delegation_size': c1.delegation_size,
-             'special': c1.special,
-             'id': c1.id,
-             'full_name': c1.full_name,
-             'name': c1.name}, {'delegation_size': c2.delegation_size,
-                                'special': c2.special,
-                                'id': c2.id,
-                                'full_name': c2.full_name,
-                                'name': c2.name}
-        ])
+        self.assertEqual(response.data, [{
+            'delegation_size': c1.delegation_size,
+            'special': c1.special,
+            'id': c1.id,
+            'full_name': c1.full_name,
+            'name': c1.name,
+            'notes_activated': c1.notes_activated,
+            'zoom_link': c1.zoom_link
+        }, {
+            'delegation_size': c2.delegation_size,
+            'special': c2.special,
+            'id': c2.id,
+            'full_name': c2.full_name,
+            'name': c2.name,
+            'notes_activated': c2.notes_activated,
+            'zoom_link': c2.zoom_link
+        }])
 
 
 class CommitteeListPostTestCase(tests.CreateAPITestCase):
     url_name = 'api:committee_list'
-    params = {'name': 'DISC',
-              'full_name': 'Disarmament and International Security',
-              'delegation_size': 100}
+    params = {
+        'name': 'DISC',
+        'full_name': 'Disarmament and International Security',
+        'delegation_size': 100
+    }
 
     def test_anonymous_user(self):
         '''Unauthenticated users shouldn't be able to create committees.'''