feat(permission): make talk component accessible in admin mode

[Gagan-Ram]

fixes: #1099

Summary by Sourcery

Enable a staff impersonation (admin) mode that bypasses standard permission checks across Orga, CFP, agenda, and talk components by introducing UI controls, centralizing admin mode logic, updating permission tags, and adjusting data queries to grant full access when in admin mode.

New Features:

• Add admin mode navbar controls for staff users to enter and exit impersonation sessions
• Display a warning listing past admin sessions requiring comments
• Introduce has_event_perm template tag to perform permission checks that include admin mode

Enhancements:

• Centralize admin mode logic via common.permissions.check_admin_mode and integrate it into view mixins
• Replace has_perm with has_event_perm across templates to respect admin mode overrides
• Override the Orga dashboard queryset to show all events when impersonating
• Extend questions_for_user and related API views/serializers to accept context and honor admin mode

[sourcery-ai]

Reviewer's Guide

This PR introduces an admin mode for staff users via temporary sudo sessions, injecting UI controls to enter/exit admin mode, providing warnings for unaudited sessions, and overriding permission checks across the application through a new check_admin_mode hook and has_event_perm tag; it also adapts view querysets and talk question filtering to respect admin mode and adds minimal styling for the new controls.

Sequence diagram for permission checks with admin mode

sequenceDiagram
    participant StaffUser as actor Staff User
    participant WebApp as Web Application
    participant Permission as Permission System
    StaffUser->>WebApp: Request access to restricted resource
    WebApp->>Permission: has_event_perm(permission, user, request, obj)
    Permission->>WebApp: Calls check_admin_mode(user, request)
    alt Active staff session
        Permission-->>WebApp: Returns True (grant access)
    else No active staff session
        Permission-->>WebApp: Checks standard permission
        Permission-->>WebApp: Returns result
    end
    WebApp->>StaffUser: Grants or denies access

Loading

Class diagram for staff session and admin mode permission check

classDiagram
    class User {
        +has_perm(perm, obj)
        +has_active_staff_session(session_key)
    }
    class StaffSession {
        user
        date_end
        comment
    }
    class Permissions {
        +check_admin_mode(self, request)
    }
    User "1" -- "*" StaffSession : has
    Permissions ..> User : uses
    Permissions ..> StaffSession : checks
    StaffSession : +user
    StaffSession : +date_end
    StaffSession : +comment

Loading

File-Level Changes

Change	Details	Files
Admin mode UI controls in the organizer layout	Loaded staff_session tag in the navbar template Added 'Admin mode' and 'End admin session' buttons with CSRF forms Emitted an is_admin_mode flag via JSON script Displayed a warning block listing sessions needing comments	app/eventyay/orga/templates/orga/base.html
New staff_session tag library and permission helper	Created staff_session.py with has_event_perm, has_active_staff_session, staff_need_to_explain tags Introduced common/permissions.py with check_admin_mode logic Defined admin override for permission checks	app/eventyay/orga/templatetags/staff_session.py app/eventyay/common/permissions.py
Integrate admin mode into backend permission checks	Extended GenericView has_permission to allow admin mode override Augmented get_context_data to grant create/update/delete when in admin mode Updated PermissionRequiredMixin to check admin mode before enforcing rules	app/eventyay/common/views/generic.py app/eventyay/common/views/mixins.py
Replace template has_perm tags with has_event_perm	Loaded staff_session in all orga, cfp, agenda, and common templates Replaced dozens of has_perm calls with has_event_perm to honor admin mode	app/eventyay/orga/templates/** app/eventyay/cfp/templates/** app/eventyay/agenda/templates/** app/eventyay/common/templates/**
Adjust business logic to respect admin mode	Orga dashboard queryset returns all events when in admin mode Updated questions_for_user signature to accept self/request and use check_admin_mode Refactored API viewsets and serializers to pass request to questions_for_user	app/eventyay/orga/views/dashboard.py app/eventyay/talk_rules/submission.py talk/src/pretalx/api/views/question.py talk/src/pretalx/api/serializers/question.py
Styling for admin mode controls	Added .admin-mode and .end-admin-mode classes to common CSS	app/eventyay/static/common/css/base.css

Assessment against linked issues

Issue	Objective	Addressed	Explanation
#1099	Ensure that when Admin Mode is active, system admins have full access rights across all components, including Talk.	✅
#1099	Update the Talk component (backend and frontend) to recognize the is_admin_mode or is_system_admin flag, bypassing component-level permission restrictions.	✅
#1099	Add or update permission logic, automated tests, and documentation so that system admins in Admin Mode can view and modify Talk content, with unified permission behavior across the platform.	✅

Possibly linked issues

• Bug: System Admins in “Admin Mode” Do Not Have Admin Access in Talk Component #1099: The PR adds a check for admin mode in permission logic, granting full access to system admins in the Talk component, directly fixing the issue.
• Bug: System Admins in “Admin Mode” Do Not Have Admin Access in Talk Component #1099: The PR makes the Talk component accessible in admin mode by introducing a new check_admin_mode function and integrating it into permission checks and UI toggles, directly addressing the issue's goal of unifying admin permission handling.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey there - I've reviewed your changes and they look great!

Prompt for AI Agents

Please address the comments from this code review:

## Individual Comments

### Comment 1
<location> `app/eventyay/common/permissions.py:6` </location>
<code_context>
+logger = logging.getLogger(__name__)
+
+
+def check_admin_mode(self, request=None):
+    if request and hasattr(request.user, 'has_active_staff_session') and  request.user.has_active_staff_session(request.session.session_key):
+        logger.debug(
</code_context>

<issue_to_address>
**suggestion:** The use of 'self' in check_admin_mode is ambiguous.

The function's 'self' parameter is inconsistently used, which may cause confusion or errors. Rename it to 'user' or clarify its expected type for better readability and maintainability.
</issue_to_address>

### Comment 2
<location> `app/eventyay/static/common/css/base.css:173-175` </location>
<code_context>
+  color: var(--color-offwhite);
+}
+
+.end-admin-mode {
+  padding: 12px;
+  background-color: red;
+}
+
</code_context>

<issue_to_address>
**suggestion:** Hardcoded color value for .end-admin-mode may reduce theme flexibility.

Consider replacing the hardcoded 'red' with a CSS variable or an existing color class to improve maintainability and theme consistency.

Suggested implementation:

```
.end-admin-mode {
  padding: 12px;
  background-color: var(--color-danger);
}

```

If `--color-danger` is not already defined in your CSS variables, you should add it to your root or theme section, for example:
:root {
  --color-danger: #d32f2f; /* or your preferred danger color */
}
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[Copilot]

Pull Request Overview

This pull request implements an admin mode feature that allows staff users to bypass normal permission checks across the application. The changes introduce a staff session mechanism where superusers can enter an elevated "admin mode" to access resources regardless of their regular team permissions.

Key changes:

• Added check_admin_mode() utility function to verify if a user has an active staff session
• Updated permission checks across views, serializers, and templates to incorporate admin mode bypasses
• Introduced has_event_perm template tag to consolidate permission checking with admin mode support
• Added UI elements for starting/ending admin sessions in the navigation bar

Reviewed Changes

Copilot reviewed 33 out of 33 changed files in this pull request and generated 12 comments.

Show a summary per file

File	Description
app/eventyay/common/permissions.py	New module defining check_admin_mode() to check if user has active staff session
app/eventyay/orga/templatetags/staff_session.py	New template tags including has_event_perm for permission checks with admin mode support
app/eventyay/talk_rules/submission.py	Updated questions_for_user() to accept self parameter and check admin mode
app/eventyay/common/views/mixins.py	Added admin mode check to _check_permission() method
app/eventyay/common/views/generic.py	Added admin mode checks to permission validation methods
app/eventyay/orga/views/dashboard.py	Modified event list queryset to show all events in admin mode
app/eventyay/orga/views/cfp.py	Updated questions_for_user() call with new signature
talk/src/pretalx/api/views/*.py	Updated questions_for_user() calls in submission, speaker, and question viewsets
talk/src/pretalx/api/serializers/question.py	Updated questions_for_user() call in serializer init
app/eventyay/orga/templates/orga/base.html	Added admin mode UI elements and updated permission checks
Multiple template files	Replaced has_perm with has_event_perm to support admin mode
app/eventyay/static/common/css/base.css	Added CSS styling for admin mode UI elements

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Sak1012]

Hey @Gagan-Ram! thanks, the changes work, but there is a design mismatch

In the common dashboard the "End Admin Session" is highlighted in Red

But this does not match in the talks dashboard

[mariobehling]

In the talk component please match the spacing between the button "admin mode" and the right side button/user info as it is in the tickets component.

[Gagan-Ram]

But this does not match in the talks dashboard

The red background is indeed added in css file. Please run python manage.py collectstatic --noinput

[Copilot]

Pull Request Overview

Copilot reviewed 32 out of 32 changed files in this pull request and generated 6 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.