fix: hide Unflag package from non-maintainers

Closes: #364
Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>

aurweb/pkgbase/actions.py

@@ -38,8 +38,8 @@ def pkgbase_unnotify_instance(request: Request, pkgbase: PackageBase) -> None:
 
 
 def pkgbase_unflag_instance(request: Request, pkgbase: PackageBase) -> None:
-    has_cred = request.user.has_credential(
-        creds.PKGBASE_UNFLAG, approved=[pkgbase.Flagger, pkgbase.Maintainer])
+    has_cred = request.user.has_credential(creds.PKGBASE_UNFLAG, approved=[
+                                           pkgbase.Flagger, pkgbase.Maintainer] + [c.User for c in pkgbase.comaintainers])
     if has_cred:
         with db.begin():
             pkgbase.OutOfDateTS = None

aurweb/pkgbase/util.py

@@ -39,6 +39,9 @@ def make_context(request: Request, pkgbase: PackageBase,
             PackageComaintainer.Priority.asc()
         ).all()
     ]
+    context["unflaggers"] = context["comaintainers"].copy()
+    context["unflaggers"].append(pkgbase.Maintainer)
+
     context["packages_count"] = pkgbase.packages.count()
     context["keywords"] = pkgbase.keywords
     context["comments"] = pkgbase.comments.order_by(

templates/partials/packages/actions.html

@@ -41,6 +41,7 @@
                         </a>
                     </span>
                 </li>
+                {% if request.user.has_credential(creds.PKGBASE_UNFLAG, approved=unflaggers) %}
                 <li>
                     <form action="/pkgbase/{{ pkgbase.Name }}/unflag" method="post">
                         <input class="button text-button"
@@ -50,6 +51,7 @@
                         />
                     </form>
                 </li>
+                {% endif %}
             {% endif %}
             <li>
                 {% if not voted %}

[Leon Möller]

Isn't this missing pkgbase.Flagger?

[Leonidas Spyropoulos]

@jkhsjdhjs Hmm, maybe, I don't know - should the one who flagged the package be able to unflag it? Haven't thought this scenario and this fix is about #364 (closed) . I suppose this feature (if it is to be considered) would be on a separate issue / MR.

[Leon Möller]

@artafinde The way I see it the flagger is able to unflag the package, it's just that the link for unflagging is hidden for them. The context["unflaggers"] is only used in the template when checking whether to show the link or not. The flagger seems to be able to unflag in any case: 034e47bc

[Kevin Morris]

I personally can't see a reason why we shouldn't allow a user themselves to unflag something that they incorrectly decided to flag. This means two things:

1. (Pro) A maintainer/co-maintainer isn't completely responsible for mistaken flags, a user themselves can remove the extra step of forcing a maint/co-maint to unflag it, making the maint/co-maint job easier.
2. (Con) This could be confusing to the maintainer/co-maintainer if they are expecting to need to unflag, but it's already been unflagged by the user.

I think the pro here heavily outweighs the con, which is a slight inconvenience. Thoughts?

Reference: #380 (closed)