Replace superuser permission check with staff permission

saleor/core/permissions.py

@@ -5,8 +5,12 @@
 MODELS_PERMISSIONS = [
     'order.view_order',
     'order.edit_order',
+    'product.view_attributes',
+    'product.edit_attributes',
     'product.view_category',
     'product.edit_category',
+    'product.view_class',
+    'product.edit_class',
     'product.view_product',
     'product.edit_product',
     'product.view_stock_location',

saleor/dashboard/product/views.py

@@ -19,7 +19,8 @@
 from . import forms
 
 
-@superuser_required
+@staff_member_required
+@permission_required('product.view_class')
 def product_class_list(request):
     classes = ProductClass.objects.all().prefetch_related(
         'product_attributes', 'variant_attributes').order_by('name')
@@ -39,7 +40,8 @@ def product_class_list(request):
         ctx)
 
 
-@superuser_required
+@staff_member_required
+@permission_required('product.edit_class')
 def product_class_create(request):
     product_class = ProductClass()
     form = forms.ProductClassForm(request.POST or None,
@@ -57,7 +59,8 @@ def product_class_create(request):
         ctx)
 
 
-@superuser_required
+@staff_member_required
+@permission_required('product.edit_class')
 def product_class_edit(request, pk):
     product_class = get_object_or_404(
         ProductClass, pk=pk)
@@ -76,7 +79,8 @@ def product_class_edit(request, pk):
         ctx)
 
 
-@superuser_required
+@staff_member_required
+@permission_required('product.edit_class')
 def product_class_delete(request, pk):
     product_class = get_object_or_404(ProductClass, pk=pk)
     if request.method == 'POST':

saleor/product/models.py

@@ -160,7 +160,13 @@ class Meta:
             ('view_product',
              pgettext_lazy('Permission description', 'Can view products')),
             ('edit_product',
-             pgettext_lazy('Permission description', 'Can edit products')))
+             pgettext_lazy('Permission description', 'Can edit products')),
+            ('view_class',
+             pgettext_lazy('Permission description',
+                           'Can view product class')),
+            ('edit_class',
+             pgettext_lazy('Permission description',
+                           'Can edit product class')))
 
     def __iter__(self):
         if not hasattr(self, '__variants'):

templates/dashboard/base.html

@@ -188,22 +188,26 @@
                 </ul>
               </li>
             {% endif %}
-            {% if user.is_superuser %}
+            {% if perms.product.view_class or perms.product.view_attributes %}
               <li class="side-nav-section">
                 <p>
                   {% trans "Configuration"  context "Dashboard configuration" %}
                 </p>
                 <ul>
+                    {% if perms.userprofile.view_class %}
                   <li class="{% block menu_product_classes_class %}{% endblock %}">
                     <a href="{% url 'dashboard:product-class-list' %}">
                       {% trans "Product types" context "Dashboard product types list" %}
                     </a>
                   </li>
+                  {% endif %}
+                  {% if perms.userprofile.view_attributes %}
                   <li class="{% block menu_attributes_class %}{% endblock %}">
                     <a href="{% url 'dashboard:product-attributes' %}">
                       {% trans "Attributes" context "Dashboard attributes list" %}
                     </a>
                   </li>
+                  {% endif %}
                   <li class="{% block menu_delivery_class %}{% endblock %}">
                     <a href="{% url 'dashboard:shipping-methods' %}">
                       {% trans "Shipping methods" context "Dashboard shipping methods list" %}