From 25dadf81f647e82a68a5e637d135cf25becccf67 Mon Sep 17 00:00:00 2001
From: Basraah <basraaheve@gmail.com>
Date: Sat, 3 Dec 2016 21:45:55 +1000
Subject: [PATCH 01/10] Add open/hidden group membership display and remove

---
 alliance_auth/urls.py                         |  6 ++
 groupmanagement/views.py                      | 71 +++++++++++++++++++
 .../templates/registered/groupmanagement.html |  2 +-
 .../registered/groupmanagementmenu.html       | 26 +++++++
 stock/templates/registered/groupmembers.html  | 44 ++++++++++++
 .../templates/registered/groupmembership.html | 54 ++++++++++++++
 6 files changed, 202 insertions(+), 1 deletion(-)
 create mode 100644 stock/templates/registered/groupmanagementmenu.html
 create mode 100644 stock/templates/registered/groupmembers.html
 create mode 100644 stock/templates/registered/groupmembership.html

diff --git a/alliance_auth/urls.py b/alliance_auth/urls.py
index 29613fc5..46c155b4 100755
--- a/alliance_auth/urls.py
+++ b/alliance_auth/urls.py
@@ -192,6 +192,12 @@ urlpatterns += i18n_patterns(
     url(_(r'^groups/'), groupmanagement.views.groups_view, name='auth_groups'),
     url(_(r'^group/management/'), groupmanagement.views.group_management,
         name='auth_group_management'),
+    url(_(r'^group/membership/$'), groupmanagement.views.group_membership,
+        name='auth_group_membership'),
+    url(_(r'^group/membership/(\w+)/$'), groupmanagement.views.group_membership_list,
+        name='auth_group_membership_list'),
+    url(_(r'^group/membership/(\w+)/remove/(\w+)/$'), groupmanagement.views.group_membership_remove,
+        name='auth_group_membership_remove'),
     url(_(r'^group/request_add/(\w+)'), groupmanagement.views.group_request_add,
         name='auth_group_request_add'),
     url(_(r'^group/request/accept/(\w+)'), groupmanagement.views.group_accept_request,
diff --git a/groupmanagement/views.py b/groupmanagement/views.py
index 9a9eaf91..849a2ec1 100755
--- a/groupmanagement/views.py
+++ b/groupmanagement/views.py
@@ -13,6 +13,10 @@ from groupmanagement.models import OpenGroup
 from authentication.models import AuthServicesInfo
 from eveonline.managers import EveManager
 from django.utils.translation import ugettext_lazy as _
+from django.db.models import Count
+from django.core.exceptions import ObjectDoesNotExist, PermissionDenied
+from django.http import Http404
+from itertools import chain
 
 import logging
 
@@ -39,6 +43,73 @@ def group_management(request):
     return render(request, 'registered/groupmanagement.html', context=render_items)
 
 
+@login_required
+@permission_required('auth.group_management')
+def group_membership(request):
+    logger.debug("group_membership called by user %s" % request.user)
+    # Get all open and closed groups
+    opengroups = OpenGroup.objects.all().annotate(num_members=Count('group__user'))
+    closedgroups = HiddenGroup.objects.all().annotate(num_members=Count('group__user'))
+
+    groups = list(chain(opengroups, closedgroups))
+    groups.sort(key=lambda g: g.group.name.lower())
+
+    render_items = {'groups': groups}
+
+    return render(request, 'registered/groupmembership.html', context=render_items)
+
+
+@login_required
+@permission_required('auth.group_management')
+def group_membership_list(request, group_id):
+    logger.debug("group_membership_list called by user %s for group id %s" % (request.user, group_id))
+    try:
+        group = Group.objects.get(id=group_id)
+
+        # Check its a joinable group i.e. not corp or internal
+        if not hasattr(group, 'hiddengroup') and not hasattr(group, 'opengroup'):
+            raise PermissionDenied
+
+    except ObjectDoesNotExist:
+        raise Http404("Group does not exist")
+
+    members = list()
+
+    for member in group.user_set.all():
+        authinfo = AuthServicesInfo.objects.get_or_create(user=member)[0]
+
+        members.append({
+            'user': member,
+            'main_char': EveManager.get_character_by_id(authinfo.main_char_id)
+        })
+
+    render_items = {'group': group, 'members': members}
+
+    return render(request, 'registered/groupmembers.html', context=render_items)
+
+
+@login_required
+@permission_required('auth.group_management')
+def group_membership_remove(request, group_id, user_id):
+    logger.debug("group_membership_remove called by user %s for group id %s on user id %s" %
+                 (request.user, group_id, user_id))
+    try:
+        group = Group.objects.get(id=group_id)
+
+        try:
+            user = group.user_set.get(id=user_id)
+            # Remove group from user
+            user.groups.remove(group)
+            messages.success(request, "Removed user %s from group %s" % (user, group))
+        except ObjectDoesNotExist:
+            messages.warning(request, "User does not exist in that group")
+
+    except ObjectDoesNotExist:
+        messages.warning(request, "Group does not exist")
+
+    return redirect('auth_group_membership_list', group_id)
+
+
 @login_required
 @permission_required('auth.group_management')
 def group_accept_request(request, group_request_id):
diff --git a/stock/templates/registered/groupmanagement.html b/stock/templates/registered/groupmanagement.html
index 9f48722d..7eeec15f 100644
--- a/stock/templates/registered/groupmanagement.html
+++ b/stock/templates/registered/groupmanagement.html
@@ -9,7 +9,7 @@
 
 {% block content %}
     <div class="col-lg-12">
-        <h3 class="page-header text-center">{% trans "Group Management" %}</h3>
+        {% include 'registered/groupmanagementmenu.html' with page="auth_group_management"  %}
         <ul class="nav nav-tabs">
             <li class="active"><a data-toggle="tab" href="#add">{% trans "Group Add Requests" %}</a></li>
             <li><a data-toggle="tab" href="#leave">{% trans "Group Leave Requests" %}</a></li>
diff --git a/stock/templates/registered/groupmanagementmenu.html b/stock/templates/registered/groupmanagementmenu.html
new file mode 100644
index 00000000..d0823779
--- /dev/null
+++ b/stock/templates/registered/groupmanagementmenu.html
@@ -0,0 +1,26 @@
+{% load staticfiles %}
+{% load i18n %}
+
+<nav class="navbar navbar-default">
+<div class="container-fluid">
+    <div class="navbar-header">
+        <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#bs-example-navbar-collapse-1" aria-expanded="false">
+            <span class="sr-only">{% trans "Toggle navigation" %}</span>
+            <span class="icon-bar"></span>
+            <span class="icon-bar"></span>
+            <span class="icon-bar"></span>
+        </button>
+        <a class="navbar-brand" href="#">Group Management</a>
+    </div>
+    <div class="collapse navbar-collapse" id="bs-example-navbar-collapse-1">
+        <ul class="nav navbar-nav">
+            <li {% if page == 'auth_group_management' %}class="active"{% endif %}>
+                <a href="{% url 'auth_group_management' %}">{% trans "Group Requests" %}</a>
+            </li>
+            <li {% if page == 'auth_group_membership' %}class="active"{% endif %}>
+                <a href="{% url 'auth_group_membership' %}">{% trans "Group Membership" %}</a>
+            </li>
+        </ul>
+    </div>
+</div>
+</nav>
diff --git a/stock/templates/registered/groupmembers.html b/stock/templates/registered/groupmembers.html
new file mode 100644
index 00000000..b83e3b12
--- /dev/null
+++ b/stock/templates/registered/groupmembers.html
@@ -0,0 +1,44 @@
+{% extends "public/base.html" %}
+{% load staticfiles %}
+{% load i18n %}
+
+{% block title %}Alliance Auth{% endblock %}
+
+{% block page_title %}{% trans "Group Members" %}{% endblock page_title %}
+{% block extra_css %}{% endblock extra_css %}
+
+{% block content %}
+    <div class="col-lg-12">
+        {% include 'registered/groupmanagementmenu.html' with page="auth_group_membership"  %}
+        <h3>{{ group.name }} {% trans 'Members' %}</h3>
+        <div id="list" class="">
+            {% if group.user_set %}
+            <table class="table">
+                <tr>
+                    <th class="text-center">{% trans "User" %}</th>
+                    <th class="text-center">{% trans "Character" %}</th>
+                    <th class="text-center">{% trans "Corp" %}</th>
+                    <th class="text-center">{% trans "Alliance" %}</th>
+                    <th class="text-center">{% trans "Action" %}</th>
+                </tr>
+                {% for member in members %}
+                    <tr>
+                        <td class="text-center">{{ member.user.username }}</td>
+                        <td class="text-center">{{ member.main_char.character_name }}</td>
+                        <td class="text-center">{{ member.main_char.corporation_name }}</td>
+                        <td class="text-center">{{ member.main_char.alliance_name }}</td>
+                        <td class="text-center">
+                            <a href="{% url 'auth_group_membership_remove' group.id member.user.id %}" class="btn btn-danger"
+                                title="{% trans "Remove from group" %}">
+                                    <i class="glyphicon glyphicon-remove"></i>
+                            </a>
+                        </td>
+                    </tr>
+                {% endfor %}
+            </table>
+            {% else %}
+                <div class="alert alert-warning text-center">No group members to list.</div>
+            {% endif %}
+        </div>
+    </div>
+{% endblock content %}
diff --git a/stock/templates/registered/groupmembership.html b/stock/templates/registered/groupmembership.html
new file mode 100644
index 00000000..aa139be6
--- /dev/null
+++ b/stock/templates/registered/groupmembership.html
@@ -0,0 +1,54 @@
+{% extends "public/base.html" %}
+{% load staticfiles %}
+{% load i18n %}
+
+{% block title %}Alliance Auth{% endblock %}
+
+{% block page_title %}{% trans "Groups Membership" %}{% endblock page_title %}
+{% block extra_css %}{% endblock extra_css %}
+
+{% block content %}
+    <div class="col-lg-12">
+        {% include 'registered/groupmanagementmenu.html' with page="auth_group_membership"  %}
+        <div>
+            {% if groups %}
+            <h3>Groups</h3>
+            <table class="table">
+                <tr>
+                    <th class="text-center">{% trans "Name" %}</th>
+                    <th class="text-center">{% trans "Description" %}</th>
+                    <th class="text-center">{% trans "Status" %}</th>
+                    <th class="text-center">{% trans "Member Count" %}</th>
+                    <th class="text-center">{% trans "Action" %}</th>
+                </tr>
+                {% for group in groups %}
+                    <tr>
+                        <td class="text-center">{{ group.group.name }}</td>
+                        <td class="text-center">{{ group.group.groupdescription.description }}</td>
+                        <td class="text-center">
+                            {% if group.group.hiddengroup %}
+                                <span class="label label-info">{% trans "Hidden" %}</span>
+                            {% elif group.group.opengroup %}
+                                <span class="label label-success">{% trans "Open" %}</span>
+                            {% else %}
+                                <span class="label label-default">{% trans "Other" %}</span>
+                            {% endif %}
+                        </td>
+                        <td class="text-center">
+                            {{ group.num_members }}
+                        </td>
+                        <td class="text-center">
+                            <a href="{% url 'auth_group_membership_list' group.group.id %}" class="btn btn-primary"
+                                title="{% trans "View Members" %}">
+                                    <i class="glyphicon glyphicon-eye-open"></i>
+                            </a>
+                        </td>
+                    </tr>
+                {% endfor %}
+            </table>
+            {% else %}
+                <div class="alert alert-warning text-center">No groups to list.</div>
+            {% endif %}
+        </div>
+    </div>
+{% endblock content %}

From 42def30c915bf640a24174910fca3b01cb7f6522 Mon Sep 17 00:00:00 2001
From: Basraah <basraaheve@gmail.com>
Date: Sun, 4 Dec 2016 09:21:43 +1000
Subject: [PATCH 02/10] Include requestable groups other than open

---
 groupmanagement/views.py                      | 32 +++++++++++--------
 .../templates/registered/groupmembership.html | 12 +++----
 2 files changed, 25 insertions(+), 19 deletions(-)

diff --git a/groupmanagement/views.py b/groupmanagement/views.py
index 849a2ec1..71782c6d 100755
--- a/groupmanagement/views.py
+++ b/groupmanagement/views.py
@@ -48,11 +48,8 @@ def group_management(request):
 def group_membership(request):
     logger.debug("group_membership called by user %s" % request.user)
     # Get all open and closed groups
-    opengroups = OpenGroup.objects.all().annotate(num_members=Count('group__user'))
-    closedgroups = HiddenGroup.objects.all().annotate(num_members=Count('group__user'))
-
-    groups = list(chain(opengroups, closedgroups))
-    groups.sort(key=lambda g: g.group.name.lower())
+    groups = [group for group in Group.objects.all().annotate(num_members=Count('user')).order_by('name')
+              if joinable_group(group)]
 
     render_items = {'groups': groups}
 
@@ -67,7 +64,7 @@ def group_membership_list(request, group_id):
         group = Group.objects.get(id=group_id)
 
         # Check its a joinable group i.e. not corp or internal
-        if not hasattr(group, 'hiddengroup') and not hasattr(group, 'opengroup'):
+        if not joinable_group(group):
             raise PermissionDenied
 
     except ObjectDoesNotExist:
@@ -221,13 +218,7 @@ def groups_view(request):
 
     for group in Group.objects.all():
         # Check if group is a corp
-        if "Corp_" in group.name:
-            pass
-        elif "Alliance_" in group.name:
-            pass
-        elif settings.DEFAULT_AUTH_GROUP in group.name:
-            pass
-        elif settings.DEFAULT_BLUE_GROUP in group.name:
+        if not joinable_group(group):
             pass
         elif HiddenGroup.objects.filter(group=group).exists():
             pass
@@ -291,3 +282,18 @@ def group_request_leave(request, group_id):
     logger.info("Created group leave request for user %s to group %s" % (request.user, Group.objects.get(id=group_id)))
     messages.success(request, 'Applied to leave group %s.' % group)
     return redirect("auth_groups")
+
+
+def joinable_group(group):
+    """
+    Check if a group is a user joinable group, i.e.
+    not an internal group for Corp, Alliance, Members etc
+    :param group: django.contrib.auth.models.Group object
+    :return: bool True if its joinable, False otherwise
+    """
+    return (
+        "Corp_" not in group.name and
+        "Alliance_" not in group.name and
+        settings.DEFAULT_AUTH_GROUP not in group.name and
+        settings.DEFAULT_BLUE_GROUP not in group.name
+    )
diff --git a/stock/templates/registered/groupmembership.html b/stock/templates/registered/groupmembership.html
index aa139be6..af78e895 100644
--- a/stock/templates/registered/groupmembership.html
+++ b/stock/templates/registered/groupmembership.html
@@ -23,22 +23,22 @@
                 </tr>
                 {% for group in groups %}
                     <tr>
-                        <td class="text-center">{{ group.group.name }}</td>
-                        <td class="text-center">{{ group.group.groupdescription.description }}</td>
+                        <td class="text-center">{{ group.name }}</td>
+                        <td class="text-center">{{ group.groupdescription.description }}</td>
                         <td class="text-center">
-                            {% if group.group.hiddengroup %}
+                            {% if group.hiddengroup %}
                                 <span class="label label-info">{% trans "Hidden" %}</span>
-                            {% elif group.group.opengroup %}
+                            {% elif group.opengroup %}
                                 <span class="label label-success">{% trans "Open" %}</span>
                             {% else %}
-                                <span class="label label-default">{% trans "Other" %}</span>
+                                <span class="label label-default">{% trans "Requestable" %}</span>
                             {% endif %}
                         </td>
                         <td class="text-center">
                             {{ group.num_members }}
                         </td>
                         <td class="text-center">
-                            <a href="{% url 'auth_group_membership_list' group.group.id %}" class="btn btn-primary"
+                            <a href="{% url 'auth_group_membership_list' group.id %}" class="btn btn-primary"
                                 title="{% trans "View Members" %}">
                                     <i class="glyphicon glyphicon-eye-open"></i>
                             </a>

From 648753a68a9bde5efa89393ab0e89803bcd858ca Mon Sep 17 00:00:00 2001
From: Basraah <basraaheve@gmail.com>
Date: Sun, 4 Dec 2016 13:02:25 +1000
Subject: [PATCH 03/10] Prevent users requesting or leaving non-joinable groups

I have not prevented users joining hidden groups however, as
there may be some use cases where the direct link is provided
for users to request access to the group.

Also prevent users generating leave requests for groups they
are not a member of.
---
 groupmanagement/views.py | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/groupmanagement/views.py b/groupmanagement/views.py
index 71782c6d..e79ab0da 100755
--- a/groupmanagement/views.py
+++ b/groupmanagement/views.py
@@ -246,6 +246,11 @@ def groups_view(request):
 def group_request_add(request, group_id):
     logger.debug("group_request_add called by user %s for group id %s" % (request.user, group_id))
     group = Group.objects.get(id=group_id)
+    if not joinable_group(group):
+        logger.warning("User %s attempted to join group id %s but it is not a joinable group" %
+                       (request.user, group_id))
+        messages.warning(request, "You cannot join that group")
+        return redirect('auth_groups')
     if OpenGroup.objects.filter(group=group).exists():
         logger.info("%s joining %s as is an open group" % (request.user, group))
         request.user.groups.add(group)
@@ -267,6 +272,16 @@ def group_request_add(request, group_id):
 def group_request_leave(request, group_id):
     logger.debug("group_request_leave called by user %s for group id %s" % (request.user, group_id))
     group = Group.objects.get(id=group_id)
+    if not joinable_group(group):
+        logger.warning("User %s attempted to leave group id %s but it is not a joinable group" %
+                       (request.user, group_id))
+        messages.warning(request, "You cannot leave that group")
+        return redirect('auth_groups')
+    if group not in request.user.groups.all():
+        logger.debug("User %s attempted to leave group id %s but they are not a member" %
+                     (request.user, group_id))
+        messages.warning(request, "You are not a member of that group")
+        return redirect('auth_groups')
     if OpenGroup.objects.filter(group=group).exists():
         logger.info("%s leaving %s as is an open group" % (request.user, group))
         request.user.groups.remove(group)

From bf345361b25f567f4bc527be9fa9edc5e02d6e77 Mon Sep 17 00:00:00 2001
From: Basraah <basraaheve@gmail.com>
Date: Sun, 4 Dec 2016 23:05:04 +1000
Subject: [PATCH 04/10] Refactor Group extension models into a single OneToOne
 model

Added group leader field
---
 groupmanagement/admin.py                      |  14 ++-
 groupmanagement/managers.py                   |  20 ++++
 groupmanagement/migrations/0004_authgroup.py  | 112 ++++++++++++++++++
 groupmanagement/models.py                     |  68 ++++++++---
 groupmanagement/views.py                      |  61 ++--------
 .../templates/registered/groupmembership.html |   6 +-
 stock/templates/registered/groups.html        |  26 ++--
 7 files changed, 220 insertions(+), 87 deletions(-)
 create mode 100644 groupmanagement/managers.py
 create mode 100644 groupmanagement/migrations/0004_authgroup.py

diff --git a/groupmanagement/admin.py b/groupmanagement/admin.py
index 4d21a00f..aa7ea35a 100644
--- a/groupmanagement/admin.py
+++ b/groupmanagement/admin.py
@@ -1,13 +1,15 @@
 from __future__ import unicode_literals
 from django.contrib import admin
 
-from groupmanagement.models import GroupDescription
 from groupmanagement.models import GroupRequest
-from groupmanagement.models import HiddenGroup
-from groupmanagement.models import OpenGroup
+from groupmanagement.models import AuthGroup
 
 
-admin.site.register(GroupDescription)
+class AuthGroupAdmin(admin.ModelAdmin):
+    """
+    Admin model for AuthGroup
+    """
+    filter_horizontal = ('group_leaders',)
+
 admin.site.register(GroupRequest)
-admin.site.register(HiddenGroup)
-admin.site.register(OpenGroup)
+admin.site.register(AuthGroup, AuthGroupAdmin)
diff --git a/groupmanagement/managers.py b/groupmanagement/managers.py
new file mode 100644
index 00000000..cb0d0486
--- /dev/null
+++ b/groupmanagement/managers.py
@@ -0,0 +1,20 @@
+from django.contrib.auth.models import Group
+from django.conf import settings
+
+class GroupManager:
+    def __init__(self):
+        pass
+
+    @staticmethod
+    def get_joinable_groups():
+        return Group.objects.exclude(authgroup__internal=True)
+
+    @staticmethod
+    def joinable_group(group):
+        """
+        Check if a group is a user joinable group, i.e.
+        not an internal group for Corp, Alliance, Members etc
+        :param group: django.contrib.auth.models.Group object
+        :return: bool True if its joinable, False otherwise
+        """
+        return not group.authgroup.internal
diff --git a/groupmanagement/migrations/0004_authgroup.py b/groupmanagement/migrations/0004_authgroup.py
new file mode 100644
index 00000000..f0cf52ac
--- /dev/null
+++ b/groupmanagement/migrations/0004_authgroup.py
@@ -0,0 +1,112 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.10.2 on 2016-12-04 10:25
+from __future__ import unicode_literals
+
+from django.conf import settings
+from django.db import migrations, models
+from django.core.exceptions import ObjectDoesNotExist
+import django.db.models.deletion
+
+
+def internal_group(group):
+    return (
+        "Corp_" in group.name or
+        "Alliance_" in group.name or
+        settings.DEFAULT_AUTH_GROUP in group.name or
+        settings.DEFAULT_BLUE_GROUP in group.name
+    )
+
+
+def combine_group_models(apps, schema_editor):
+    Group = apps.get_model("auth", "Group")
+    AuthGroup = apps.get_model("groupmanagement", "AuthGroup")
+
+    for group in Group.objects.all():
+        authgroup = AuthGroup(group=group)
+        if not hasattr(group, 'hiddengroup'):
+            authgroup.hidden = False
+        if hasattr(group, 'opengroup'):
+            authgroup.open = True
+
+        if hasattr(group, 'groupdescription'):
+            authgroup.description = group.groupdescription.description
+
+        authgroup.internal = internal_group(group)
+        authgroup.save()
+
+
+def reverse_group_models(apps, schema_editor):
+    Group = apps.get_model("auth", "Group")
+    GroupDescription = apps.get_model("groupmanagement", "GroupDescription")
+    OpenGroup = apps.get_model("groupmanagement", "OpenGroup")
+    HiddenGroup = apps.get_model("groupmanagement", "HiddenGroup")
+
+    for group in Group.objects.all():
+        if not hasattr(group, 'authgroup') or group.authgroup is None:
+            continue
+        if group.authgroup.open:
+            OpenGroup.objects.get_or_create(group=group)
+        else:
+            try:
+                OpenGroup.objects.get(group=group).delete()
+            except ObjectDoesNotExist:
+                pass
+
+        if group.authgroup.hidden:
+            HiddenGroup.objects.get_or_create(group=group)
+        else:
+            try:
+                HiddenGroup.objects.get(group=group).delete()
+            except ObjectDoesNotExist:
+                pass
+
+        if len(group.authgroup.description):
+            GroupDescription.objects.update_or_create(group=group,
+                                                      defaults={'description': group.authgroup.description})
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('auth', '0008_alter_user_username_max_length'),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+        ('groupmanagement', '0003_default_groups'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='AuthGroup',
+            fields=[
+                ('group', models.OneToOneField(on_delete=django.db.models.deletion.CASCADE, primary_key=True,
+                                               serialize=False,  to='auth.Group')),
+                ('internal', models.BooleanField(default=True, help_text='Internal group, users cannot see, join or request to join this group.<br>Used for groups such as Members, Corp_*, Alliance_* etc.<br><b>Overrides Hidden and Open options when selected.</b>')),
+                ('hidden', models.BooleanField(default=True, help_text='Group is hidden from users but can still join with the correct link.')),
+                ('open', models.BooleanField(default=False, help_text='Group is open and users will be automatically added upon request. <br>If the group is not open users will need their request manually approved.')),
+                ('description', models.CharField(max_length=512, help_text='Description of the group shown to users.', )),
+
+                ('group_leaders', models.ManyToManyField(related_name='leads_groups', to=settings.AUTH_USER_MODEL, help_text='Group leaders can process group requests for this group specifically. Use the auth.group_management permission to allow a user to manage all groups.',)),
+            ],
+        ),
+        migrations.RunPython(combine_group_models, reverse_group_models),
+        migrations.RemoveField(
+            model_name='groupdescription',
+            name='group',
+        ),
+        migrations.RemoveField(
+            model_name='hiddengroup',
+            name='group',
+        ),
+        migrations.RemoveField(
+            model_name='opengroup',
+            name='group',
+        ),
+        migrations.DeleteModel(
+            name='GroupDescription',
+        ),
+        migrations.DeleteModel(
+            name='HiddenGroup',
+        ),
+        migrations.DeleteModel(
+            name='OpenGroup',
+        ),
+    ]
diff --git a/groupmanagement/models.py b/groupmanagement/models.py
index ffad61aa..adf0d2d2 100644
--- a/groupmanagement/models.py
+++ b/groupmanagement/models.py
@@ -3,19 +3,12 @@ from django.utils.encoding import python_2_unicode_compatible
 from django.db import models
 from django.contrib.auth.models import User
 from django.contrib.auth.models import Group
+from django.db.models.signals import post_save
+from django.dispatch import receiver
 
 from eveonline.models import EveCharacter
 
 
-@python_2_unicode_compatible
-class GroupDescription(models.Model):
-    description = models.CharField(max_length=512)
-    group = models.OneToOneField(Group)
-
-    def __str__(self):
-        return self.group.name + " - Description"
-
-
 @python_2_unicode_compatible
 class GroupRequest(models.Model):
     status = models.CharField(max_length=254)
@@ -29,16 +22,57 @@ class GroupRequest(models.Model):
 
 
 @python_2_unicode_compatible
-class HiddenGroup(models.Model):
-    group = models.OneToOneField(Group)
+class AuthGroup(models.Model):
+    """
+    Extends Django Group model with a one-to-one field
+    Attributes are accessible via group as if they were in the model
+    e.g. group.authgroup.internal
+
+    Logic:
+    Internal - not requestable by users, at all. Covers Corp_, Alliance_, Members etc groups.
+    Groups are internal by default
+
+    Not Internal and:
+        Hidden - users cannot view, can request if they have the direct link.
+        Not Hidden - Users can view and request the group
+        Open - Users are automatically accepted into the group
+        Not Open - Users requests must be approved before they are added to the group
+    """
+    group = models.OneToOneField(Group, on_delete=models.CASCADE, primary_key=True)
+
+    internal = models.BooleanField(default=True,
+                                   help_text="Internal group, users cannot see, join or request to join this group.<br>"
+                                             "Used for groups such as Members, Corp_*, Alliance_* etc.<br>"
+                                             "<b>Overrides Hidden and Open options when selected.</b>")
+    hidden = models.BooleanField(default=True,
+                                 help_text="Group is hidden from users but can still join with the correct link.")
+    open = models.BooleanField(default=False,
+                               help_text="Group is open and users will be automatically added upon request. <br>"
+                                         "If the group is not open users will need their request manually approved.")
+    # Group leaders have management access to this group
+    group_leaders = models.ManyToManyField(User, related_name='leads_groups',
+                                           help_text="Group leaders can process group requests for this group "
+                                                     "specifically. Use the auth.group_management permission to allow "
+                                                     "a user to manage all groups.")
+
+    description = models.CharField(max_length=512, help_text="Description of the group shown to users.")
 
     def __str__(self):
-        return self.group.name + " - Hidden"
+        return self.group.name
 
 
-@python_2_unicode_compatible
-class OpenGroup(models.Model):
-    group = models.OneToOneField(Group)
+@receiver(post_save, sender=Group)
+def create_auth_group(sender, instance, created, **kwargs):
+    """
+    Creates the AuthGroup model when a group is created
+    """
+    if created:
+        AuthGroup.objects.create(group=instance)
 
-    def __str__(self):
-        return self.group.name + " - Open"
+
+@receiver(post_save, sender=Group)
+def save_auth_group(sender, instance, **kwargs):
+    """
+    Ensures AuthGroup model is saved automatically
+    """
+    instance.authgroup.save()
diff --git a/groupmanagement/views.py b/groupmanagement/views.py
index e79ab0da..0e11cdb5 100755
--- a/groupmanagement/views.py
+++ b/groupmanagement/views.py
@@ -1,22 +1,18 @@
 from __future__ import unicode_literals
 from django.shortcuts import render, redirect
-from django.conf import settings
 from django.contrib.auth.decorators import login_required
 from django.contrib.auth.decorators import permission_required
 from django.contrib.auth.models import Group
 from django.contrib import messages
 from notifications import notify
-from groupmanagement.models import GroupDescription
+from groupmanagement.managers import GroupManager
 from groupmanagement.models import GroupRequest
-from groupmanagement.models import HiddenGroup
-from groupmanagement.models import OpenGroup
 from authentication.models import AuthServicesInfo
 from eveonline.managers import EveManager
 from django.utils.translation import ugettext_lazy as _
 from django.db.models import Count
 from django.core.exceptions import ObjectDoesNotExist, PermissionDenied
 from django.http import Http404
-from itertools import chain
 
 import logging
 
@@ -48,8 +44,7 @@ def group_management(request):
 def group_membership(request):
     logger.debug("group_membership called by user %s" % request.user)
     # Get all open and closed groups
-    groups = [group for group in Group.objects.all().annotate(num_members=Count('user')).order_by('name')
-              if joinable_group(group)]
+    groups = Group.objects.exclude(authgroup__internal=True).annotate(num_members=Count('user')).order_by('name')
 
     render_items = {'groups': groups}
 
@@ -64,7 +59,7 @@ def group_membership_list(request, group_id):
         group = Group.objects.get(id=group_id)
 
         # Check its a joinable group i.e. not corp or internal
-        if not joinable_group(group):
+        if not GroupManager.joinable_group(group):
             raise PermissionDenied
 
     except ObjectDoesNotExist:
@@ -214,31 +209,16 @@ def group_leave_reject_request(request, group_request_id):
 @login_required
 def groups_view(request):
     logger.debug("groups_view called by user %s" % request.user)
-    paired_list = []
+    groups = []
 
-    for group in Group.objects.all():
-        # Check if group is a corp
-        if not joinable_group(group):
-            pass
-        elif HiddenGroup.objects.filter(group=group).exists():
-            pass
-        else:
-            # Get the descriptionn
-            group_desc = GroupDescription.objects.filter(group=group)
+    for group in GroupManager.get_joinable_groups():
+        # Exclude hidden
+        if not group.authgroup.hidden:
             group_request = GroupRequest.objects.filter(user=request.user).filter(group=group)
 
-            if group_desc:
-                if group_request:
-                    paired_list.append((group, group_desc[0], group_request[0]))
-                else:
-                    paired_list.append((group, group_desc[0], ""))
-            else:
-                if group_request:
-                    paired_list.append((group, "", group_request[0]))
-                else:
-                    paired_list.append((group, "", ""))
+            groups.append({'group': group, 'request': group_request[0] if group_request else None})
 
-    render_items = {'pairs': paired_list}
+    render_items = {'groups': groups}
     return render(request, 'registered/groups.html', context=render_items)
 
 
@@ -246,12 +226,12 @@ def groups_view(request):
 def group_request_add(request, group_id):
     logger.debug("group_request_add called by user %s for group id %s" % (request.user, group_id))
     group = Group.objects.get(id=group_id)
-    if not joinable_group(group):
+    if not GroupManager.joinable_group(group):
         logger.warning("User %s attempted to join group id %s but it is not a joinable group" %
                        (request.user, group_id))
         messages.warning(request, "You cannot join that group")
         return redirect('auth_groups')
-    if OpenGroup.objects.filter(group=group).exists():
+    if group.authgroup.open:
         logger.info("%s joining %s as is an open group" % (request.user, group))
         request.user.groups.add(group)
         return redirect("auth_groups")
@@ -272,7 +252,7 @@ def group_request_add(request, group_id):
 def group_request_leave(request, group_id):
     logger.debug("group_request_leave called by user %s for group id %s" % (request.user, group_id))
     group = Group.objects.get(id=group_id)
-    if not joinable_group(group):
+    if not GroupManager.joinable_group(group):
         logger.warning("User %s attempted to leave group id %s but it is not a joinable group" %
                        (request.user, group_id))
         messages.warning(request, "You cannot leave that group")
@@ -282,7 +262,7 @@ def group_request_leave(request, group_id):
                      (request.user, group_id))
         messages.warning(request, "You are not a member of that group")
         return redirect('auth_groups')
-    if OpenGroup.objects.filter(group=group).exists():
+    if group.authgroup.open:
         logger.info("%s leaving %s as is an open group" % (request.user, group))
         request.user.groups.remove(group)
         return redirect("auth_groups")
@@ -297,18 +277,3 @@ def group_request_leave(request, group_id):
     logger.info("Created group leave request for user %s to group %s" % (request.user, Group.objects.get(id=group_id)))
     messages.success(request, 'Applied to leave group %s.' % group)
     return redirect("auth_groups")
-
-
-def joinable_group(group):
-    """
-    Check if a group is a user joinable group, i.e.
-    not an internal group for Corp, Alliance, Members etc
-    :param group: django.contrib.auth.models.Group object
-    :return: bool True if its joinable, False otherwise
-    """
-    return (
-        "Corp_" not in group.name and
-        "Alliance_" not in group.name and
-        settings.DEFAULT_AUTH_GROUP not in group.name and
-        settings.DEFAULT_BLUE_GROUP not in group.name
-    )
diff --git a/stock/templates/registered/groupmembership.html b/stock/templates/registered/groupmembership.html
index af78e895..173b152e 100644
--- a/stock/templates/registered/groupmembership.html
+++ b/stock/templates/registered/groupmembership.html
@@ -24,11 +24,11 @@
                 {% for group in groups %}
                     <tr>
                         <td class="text-center">{{ group.name }}</td>
-                        <td class="text-center">{{ group.groupdescription.description }}</td>
+                        <td class="text-center">{{ group.authgroup.description }}</td>
                         <td class="text-center">
-                            {% if group.hiddengroup %}
+                            {% if group.authgroup.hidden %}
                                 <span class="label label-info">{% trans "Hidden" %}</span>
-                            {% elif group.opengroup %}
+                            {% elif group.authgroup.open %}
                                 <span class="label label-success">{% trans "Open" %}</span>
                             {% else %}
                                 <span class="label label-default">{% trans "Requestable" %}</span>
diff --git a/stock/templates/registered/groups.html b/stock/templates/registered/groups.html
index 2581544a..21c5ec6a 100644
--- a/stock/templates/registered/groups.html
+++ b/stock/templates/registered/groups.html
@@ -11,36 +11,36 @@
     <div class="col-lg-12">
         <h1 class="page-header text-center">{% trans "Available Groups" %}</h1>
         {% if STATE == MEMBER_STATE or user.is_superuser %}
-            {% if pairs %}
+            {% if groups %}
             <table class="table">
                 <tr>
-                    <th class="text-center">{% trans "GroupName" %}</th>
-                    <th class="text-center">{% trans "GroupDesc" %}</th>
+                    <th class="text-center">{% trans "Name" %}</th>
+                    <th class="text-center">{% trans "Description" %}</th>
                     <th class="text-center">{% trans "Action" %}</th>
                 </tr>
 
-                {% for pair in pairs %}
+                {% for g in groups %}
                     <tr>
-                        <td class="text-center">{{ pair.0.name }}</td>
-                        <td class="text-center">{{ pair.1.description }}</td>
+                        <td class="text-center">{{ g.group.name }}</td>
+                        <td class="text-center">{{ g.group.authgroup.description }}</td>
                         <td class="text-center">
-                            {% if pair.0 in user.groups.all %}
-                                {% if pair.2 == "" %}
-                                    <a href="{% url 'auth_group_request_leave' pair.0.id %}" class="btn btn-danger">
+                            {% if g.group in user.groups.all %}
+                                {% if not g.request %}
+                                    <a href="{% url 'auth_group_request_leave' g.group.id %}" class="btn btn-danger">
                                         {% trans "Leave" %}
                                     </a>
                                 {% else %}
                                     <button type="button" class="btn btn-primary" disabled>
-                                        {{ pair.2.status }}
+                                        {{ g.request.status }}
                                     </button>
                                 {% endif %}
-                            {% elif pair.2 == "" %}
-                                <a href="{% url 'auth_group_request_add' pair.0.id %}" class="btn btn-success">
+                            {% elif not g.request %}
+                                <a href="{% url 'auth_group_request_add' g.group.id %}" class="btn btn-success">
                                     {% trans "Request" %}
                                 </a>
                             {% else %}
                                 <button type="button" class="btn btn-primary" disabled>
-                                    {{ pair.2.status }}
+                                    {{ g.request.status }}
                                 </button>
                             {% endif %}
                         </td>

From ed461d9e7a74551a4be3cfaccbf76097b8b83b39 Mon Sep 17 00:00:00 2001
From: Basraah <basraaheve@gmail.com>
Date: Sun, 4 Dec 2016 23:41:26 +1000
Subject: [PATCH 05/10] Add blankable fields

---
 groupmanagement/migrations/0004_authgroup.py | 4 ++--
 groupmanagement/models.py                    | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/groupmanagement/migrations/0004_authgroup.py b/groupmanagement/migrations/0004_authgroup.py
index f0cf52ac..a7bbda98 100644
--- a/groupmanagement/migrations/0004_authgroup.py
+++ b/groupmanagement/migrations/0004_authgroup.py
@@ -82,9 +82,9 @@ class Migration(migrations.Migration):
                 ('internal', models.BooleanField(default=True, help_text='Internal group, users cannot see, join or request to join this group.<br>Used for groups such as Members, Corp_*, Alliance_* etc.<br><b>Overrides Hidden and Open options when selected.</b>')),
                 ('hidden', models.BooleanField(default=True, help_text='Group is hidden from users but can still join with the correct link.')),
                 ('open', models.BooleanField(default=False, help_text='Group is open and users will be automatically added upon request. <br>If the group is not open users will need their request manually approved.')),
-                ('description', models.CharField(max_length=512, help_text='Description of the group shown to users.', )),
+                ('description', models.CharField(max_length=512, blank=True,  help_text='Description of the group shown to users.', )),
 
-                ('group_leaders', models.ManyToManyField(related_name='leads_groups', to=settings.AUTH_USER_MODEL, help_text='Group leaders can process group requests for this group specifically. Use the auth.group_management permission to allow a user to manage all groups.',)),
+                ('group_leaders', models.ManyToManyField(related_name='leads_groups', to=settings.AUTH_USER_MODEL, blank=True, help_text='Group leaders can process group requests for this group specifically. Use the auth.group_management permission to allow a user to manage all groups.',)),
             ],
         ),
         migrations.RunPython(combine_group_models, reverse_group_models),
diff --git a/groupmanagement/models.py b/groupmanagement/models.py
index adf0d2d2..52d98343 100644
--- a/groupmanagement/models.py
+++ b/groupmanagement/models.py
@@ -50,12 +50,12 @@ class AuthGroup(models.Model):
                                help_text="Group is open and users will be automatically added upon request. <br>"
                                          "If the group is not open users will need their request manually approved.")
     # Group leaders have management access to this group
-    group_leaders = models.ManyToManyField(User, related_name='leads_groups',
+    group_leaders = models.ManyToManyField(User, related_name='leads_groups', blank=True,
                                            help_text="Group leaders can process group requests for this group "
                                                      "specifically. Use the auth.group_management permission to allow "
                                                      "a user to manage all groups.")
 
-    description = models.CharField(max_length=512, help_text="Description of the group shown to users.")
+    description = models.CharField(max_length=512, blank=True, help_text="Description of the group shown to users.")
 
     def __str__(self):
         return self.group.name

From 5fb64d8c068589c3b0caac08069214d48ad79455 Mon Sep 17 00:00:00 2001
From: Basraah <basraaheve@gmail.com>
Date: Mon, 5 Dec 2016 14:35:08 +1000
Subject: [PATCH 06/10] Switched to use navactive for menu highlighting

---
 stock/templates/registered/groupmanagement.html     | 2 +-
 stock/templates/registered/groupmanagementmenu.html | 5 +++--
 stock/templates/registered/groupmembers.html        | 2 +-
 stock/templates/registered/groupmembership.html     | 2 +-
 4 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/stock/templates/registered/groupmanagement.html b/stock/templates/registered/groupmanagement.html
index 7eeec15f..767d7e75 100644
--- a/stock/templates/registered/groupmanagement.html
+++ b/stock/templates/registered/groupmanagement.html
@@ -9,7 +9,7 @@
 
 {% block content %}
     <div class="col-lg-12">
-        {% include 'registered/groupmanagementmenu.html' with page="auth_group_management"  %}
+        {% include 'registered/groupmanagementmenu.html' %}
         <ul class="nav nav-tabs">
             <li class="active"><a data-toggle="tab" href="#add">{% trans "Group Add Requests" %}</a></li>
             <li><a data-toggle="tab" href="#leave">{% trans "Group Leave Requests" %}</a></li>
diff --git a/stock/templates/registered/groupmanagementmenu.html b/stock/templates/registered/groupmanagementmenu.html
index d0823779..2423f3e0 100644
--- a/stock/templates/registered/groupmanagementmenu.html
+++ b/stock/templates/registered/groupmanagementmenu.html
@@ -1,5 +1,6 @@
 {% load staticfiles %}
 {% load i18n %}
+{% load navactive %}
 
 <nav class="navbar navbar-default">
 <div class="container-fluid">
@@ -14,10 +15,10 @@
     </div>
     <div class="collapse navbar-collapse" id="bs-example-navbar-collapse-1">
         <ul class="nav navbar-nav">
-            <li {% if page == 'auth_group_management' %}class="active"{% endif %}>
+            <li class="{% navactive request 'auth_group_management' %}">
                 <a href="{% url 'auth_group_management' %}">{% trans "Group Requests" %}</a>
             </li>
-            <li {% if page == 'auth_group_membership' %}class="active"{% endif %}>
+            <li class="{% navactive request 'auth_group_membership auth_group_membership_list' %}">
                 <a href="{% url 'auth_group_membership' %}">{% trans "Group Membership" %}</a>
             </li>
         </ul>
diff --git a/stock/templates/registered/groupmembers.html b/stock/templates/registered/groupmembers.html
index b83e3b12..586b49a2 100644
--- a/stock/templates/registered/groupmembers.html
+++ b/stock/templates/registered/groupmembers.html
@@ -9,7 +9,7 @@
 
 {% block content %}
     <div class="col-lg-12">
-        {% include 'registered/groupmanagementmenu.html' with page="auth_group_membership"  %}
+        {% include 'registered/groupmanagementmenu.html' %}
         <h3>{{ group.name }} {% trans 'Members' %}</h3>
         <div id="list" class="">
             {% if group.user_set %}
diff --git a/stock/templates/registered/groupmembership.html b/stock/templates/registered/groupmembership.html
index 173b152e..66c7c7a7 100644
--- a/stock/templates/registered/groupmembership.html
+++ b/stock/templates/registered/groupmembership.html
@@ -9,7 +9,7 @@
 
 {% block content %}
     <div class="col-lg-12">
-        {% include 'registered/groupmanagementmenu.html' with page="auth_group_membership"  %}
+        {% include 'registered/groupmanagementmenu.html' %}
         <div>
             {% if groups %}
             <h3>Groups</h3>

From 9eba5607d2dafedce2ba34b44bacb91e18cddc0b Mon Sep 17 00:00:00 2001
From: Basraah <basraaheve@gmail.com>
Date: Mon, 5 Dec 2016 20:42:47 +1000
Subject: [PATCH 07/10] Consolidate member state checking for easier code reuse

---
 authentication/context_processors.py |  8 ++---
 authentication/decorators.py         | 24 +++++----------
 authentication/managers.py           | 44 +++++++++++++++++++++++++++-
 3 files changed, 53 insertions(+), 23 deletions(-)

diff --git a/authentication/context_processors.py b/authentication/context_processors.py
index d403df83..7f1c39f1 100644
--- a/authentication/context_processors.py
+++ b/authentication/context_processors.py
@@ -1,14 +1,11 @@
 from __future__ import unicode_literals
-from authentication.models import AuthServicesInfo
 from authentication.states import NONE_STATE, BLUE_STATE, MEMBER_STATE
+from authentication.managers import UserState
 from django.conf import settings
 
 
 def membership_state(request):
-    if request.user.is_authenticated:
-        auth = AuthServicesInfo.objects.get_or_create(user=request.user)[0]
-        return {'STATE': auth.state}
-    return {'STATE': NONE_STATE}
+    return UserState.get_membership_state(request)
 
 
 def states(request):
@@ -19,6 +16,7 @@ def states(request):
         'MEMBER_BLUE_STATE': [MEMBER_STATE, BLUE_STATE],
     }
 
+
 def sso(request):
     return {
         'EVE_SSO_CALLBACK_URL': settings.EVE_SSO_CALLBACK_URL,
diff --git a/authentication/decorators.py b/authentication/decorators.py
index 1d3167cb..c08fc8cb 100644
--- a/authentication/decorators.py
+++ b/authentication/decorators.py
@@ -1,33 +1,23 @@
 from __future__ import unicode_literals
 from django.contrib.auth.decorators import user_passes_test
-from authentication.models import AuthServicesInfo
-from authentication.states import MEMBER_STATE, BLUE_STATE, NONE_STATE
-from django.conf import settings
+from authentication.managers import UserState
 
 
-def _state_required(states, *args, **kwargs):
-    def test_func(user):
-        if user.is_superuser and settings.SUPERUSER_STATE_BYPASS:
-            return True
-        if user.is_authenticated:
-            auth = AuthServicesInfo.objects.get_or_create(user=user)[0]
-            return auth.state in states
-        return False
-
-    return user_passes_test(test_func, *args, **kwargs)
+def _state_required(state_test, *args, **kwargs):
+    return user_passes_test(state_test, *args, **kwargs)
 
 
 def members(*args, **kwargs):
-    return _state_required([MEMBER_STATE], *args, **kwargs)
+    return _state_required(UserState.member_state, *args, **kwargs)
 
 
 def blues(*args, **kwargs):
-    return _state_required([BLUE_STATE], *args, **kwargs)
+    return _state_required(UserState.blue_state, *args, **kwargs)
 
 
 def members_and_blues(*args, **kwargs):
-    return _state_required([MEMBER_STATE, BLUE_STATE], *args, **kwargs)
+    return _state_required(UserState.member_or_blue_state, *args, **kwargs)
 
 
 def none_state(*args, **kwargs):
-    return _state_required([NONE_STATE], *args, **kwargs)
+    return _state_required(UserState.none_state, *args, **kwargs)
diff --git a/authentication/managers.py b/authentication/managers.py
index 6471880b..a577a05a 100755
--- a/authentication/managers.py
+++ b/authentication/managers.py
@@ -1,6 +1,7 @@
 from __future__ import unicode_literals
 from django.contrib.auth.models import User
-
+from django.conf import settings
+from authentication.states import NONE_STATE, BLUE_STATE, MEMBER_STATE
 from authentication.models import AuthServicesInfo
 
 import logging
@@ -143,3 +144,44 @@ class AuthServicesInfoManager:
             logger.info("Updated user %s market info in authservicesinfo model." % user)
         else:
             logger.error("Failed to update user %s market info: user does not exist." % user)
+
+
+class UserState:
+    def __init__(self):
+        pass
+
+    MEMBER_STATE = MEMBER_STATE
+    BLUE_STATE = BLUE_STATE
+    NONE_STATE = NONE_STATE
+
+    @classmethod
+    def member_state(cls, user):
+        return cls.state_required(user, [cls.MEMBER_STATE])
+
+    @classmethod
+    def member_or_blue_state(cls, user):
+        return cls.state_required(user, [cls.MEMBER_STATE, cls.BLUE_STATE])
+
+    @classmethod
+    def blue_state(cls, user):
+        return cls.state_required(user, [cls.BLUE_STATE])
+
+    @classmethod
+    def none_state(cls, user):
+        return cls.state_required(user, [cls.NONE_STATE])
+
+    @classmethod
+    def get_membership_state(cls, request):
+        if request.user.is_authenticated:
+            auth = AuthServicesInfo.objects.get_or_create(user=request.user)[0]
+            return {'STATE': auth.state}
+        return {'STATE': cls.NONE_STATE}
+
+    @staticmethod
+    def state_required(user, states):
+        if user.is_superuser and settings.SUPERUSER_STATE_BYPASS:
+            return True
+        if user.is_authenticated:
+            auth = AuthServicesInfo.objects.get_or_create(user=user)[0]
+            return auth.state in states
+        return False

From 83b62525eb87cddabd3010e45c2b280c985cb9de Mon Sep 17 00:00:00 2001
From: Basraah <basraaheve@gmail.com>
Date: Mon, 5 Dec 2016 21:49:12 +1000
Subject: [PATCH 08/10] Added support for group leaders to manage groups

---
 alliance_auth/settings.py.example     |  1 +
 groupmanagement/context_processors.py |  5 ++
 groupmanagement/managers.py           | 36 +++++++++++
 groupmanagement/views.py              | 90 ++++++++++++++++++++++-----
 stock/templates/public/base.html      |  2 +-
 5 files changed, 117 insertions(+), 17 deletions(-)
 create mode 100644 groupmanagement/context_processors.py

diff --git a/alliance_auth/settings.py.example b/alliance_auth/settings.py.example
index 271eace0..bef0b271 100644
--- a/alliance_auth/settings.py.example
+++ b/alliance_auth/settings.py.example
@@ -111,6 +111,7 @@ TEMPLATES = [
                 'authentication.context_processors.states',
                 'authentication.context_processors.membership_state',
                 'authentication.context_processors.sso',
+                'groupmanagement.context_processors.can_manage_groups',
             ],
         },
     },
diff --git a/groupmanagement/context_processors.py b/groupmanagement/context_processors.py
new file mode 100644
index 00000000..0d60be3f
--- /dev/null
+++ b/groupmanagement/context_processors.py
@@ -0,0 +1,5 @@
+from groupmanagement.managers import GroupManager
+
+
+def can_manage_groups(request):
+    return {'can_manage_groups': GroupManager.can_manage_groups(request.user)}
diff --git a/groupmanagement/managers.py b/groupmanagement/managers.py
index cb0d0486..41188257 100644
--- a/groupmanagement/managers.py
+++ b/groupmanagement/managers.py
@@ -1,5 +1,6 @@
 from django.contrib.auth.models import Group
 from django.conf import settings
+from authentication.managers import UserState
 
 class GroupManager:
     def __init__(self):
@@ -9,6 +10,10 @@ class GroupManager:
     def get_joinable_groups():
         return Group.objects.exclude(authgroup__internal=True)
 
+    @staticmethod
+    def get_group_leaders_groups(user):
+        return Group.objects.filter(authgroup__group_leaders__in=[user])
+
     @staticmethod
     def joinable_group(group):
         """
@@ -18,3 +23,34 @@ class GroupManager:
         :return: bool True if its joinable, False otherwise
         """
         return not group.authgroup.internal
+
+    @staticmethod
+    def has_management_permission(user):
+        return user.has_perm('auth.group_management')
+
+    @classmethod
+    def can_manage_groups(cls, user):
+        """
+        For use with user_passes_test decorator.
+        Check if the user can manage groups. Either has the
+        auth.group_management permission or is a leader of at least one group
+        and is also a Member.
+        :param user: django.contrib.auth.models.User for the request
+        :return: bool True if user can manage groups, False otherwise
+        """
+        if user.is_authenticated:
+            return cls.has_management_permission(user) or (user.leads_groups.all() and UserState.member_state(user))
+        return False
+
+    @classmethod
+    def can_manage_group(cls, user, group):
+        """
+        Check user has permission to manage the given group
+        :param user: User object to test permission of
+        :param group: Group object the user is attempting to manage
+        :return: True if the user can manage the group
+        """
+        if user.is_authenticated:
+            return cls.has_management_permission(user) or (
+                user.leads_groups.filter(group=group).exists() and UserState.member_state(user))
+        return False
diff --git a/groupmanagement/views.py b/groupmanagement/views.py
index 0e11cdb5..c36de8a5 100755
--- a/groupmanagement/views.py
+++ b/groupmanagement/views.py
@@ -1,18 +1,18 @@
 from __future__ import unicode_literals
 from django.shortcuts import render, redirect
 from django.contrib.auth.decorators import login_required
-from django.contrib.auth.decorators import permission_required
+from django.contrib.auth.decorators import user_passes_test
 from django.contrib.auth.models import Group
 from django.contrib import messages
 from notifications import notify
-from groupmanagement.managers import GroupManager
-from groupmanagement.models import GroupRequest
-from authentication.models import AuthServicesInfo
-from eveonline.managers import EveManager
 from django.utils.translation import ugettext_lazy as _
 from django.db.models import Count
 from django.core.exceptions import ObjectDoesNotExist, PermissionDenied
 from django.http import Http404
+from groupmanagement.managers import GroupManager
+from groupmanagement.models import GroupRequest
+from authentication.models import AuthServicesInfo
+from eveonline.managers import EveManager
 
 import logging
 
@@ -20,17 +20,25 @@ logger = logging.getLogger(__name__)
 
 
 @login_required
-@permission_required('auth.group_management')
+@user_passes_test(GroupManager.can_manage_groups)
 def group_management(request):
     logger.debug("group_management called by user %s" % request.user)
     acceptrequests = []
     leaverequests = []
 
-    for grouprequest in GroupRequest.objects.all():
+    if GroupManager.has_management_permission(request.user):
+        # Full access
+        group_requests = GroupRequest.objects.all()
+    else:
+        # Group specific leader
+        group_requests = GroupRequest.objects.filter(group__authgroup__group_leaders__in=[request.user])
+
+    for grouprequest in group_requests:
         if grouprequest.leave_request:
             leaverequests.append(grouprequest)
         else:
             acceptrequests.append(grouprequest)
+
     logger.debug("Providing user %s with %s acceptrequests and %s leaverequests." % (
         request.user, len(acceptrequests), len(leaverequests)))
 
@@ -40,11 +48,18 @@ def group_management(request):
 
 
 @login_required
-@permission_required('auth.group_management')
+@user_passes_test(GroupManager.can_manage_groups)
 def group_membership(request):
     logger.debug("group_membership called by user %s" % request.user)
     # Get all open and closed groups
-    groups = Group.objects.exclude(authgroup__internal=True).annotate(num_members=Count('user')).order_by('name')
+    if GroupManager.has_management_permission(request.user):
+        # Full access
+        groups = GroupManager.get_joinable_groups()
+    else:
+        # Group leader specific
+        groups = GroupManager.get_group_leaders_groups(request.user)
+
+    groups = groups.exclude(authgroup__internal=True).annotate(num_members=Count('user')).order_by('name')
 
     render_items = {'groups': groups}
 
@@ -52,14 +67,17 @@ def group_membership(request):
 
 
 @login_required
-@permission_required('auth.group_management')
+@user_passes_test(GroupManager.can_manage_groups)
 def group_membership_list(request, group_id):
     logger.debug("group_membership_list called by user %s for group id %s" % (request.user, group_id))
     try:
         group = Group.objects.get(id=group_id)
 
         # Check its a joinable group i.e. not corp or internal
-        if not GroupManager.joinable_group(group):
+        # And the user has permission to manage it
+        if not GroupManager.joinable_group(group) or not GroupManager.can_manage_group(request.user, group):
+            logger.warning("User %s attempted to view the membership of group %s but permission was denied" %
+                           (request.user, group_id))
             raise PermissionDenied
 
     except ObjectDoesNotExist:
@@ -81,13 +99,20 @@ def group_membership_list(request, group_id):
 
 
 @login_required
-@permission_required('auth.group_management')
+@user_passes_test(GroupManager.can_manage_groups)
 def group_membership_remove(request, group_id, user_id):
     logger.debug("group_membership_remove called by user %s for group id %s on user id %s" %
                  (request.user, group_id, user_id))
     try:
         group = Group.objects.get(id=group_id)
 
+        # Check its a joinable group i.e. not corp or internal
+        # And the user has permission to manage it
+        if not GroupManager.joinable_group(group) or not GroupManager.can_manage_group(request.user, group):
+            logger.warning("User %s attempted to remove a user from group %s but permission was denied" % (request.user,
+                                                                                                           group_id))
+            raise PermissionDenied
+
         try:
             user = group.user_set.get(id=user_id)
             # Remove group from user
@@ -103,12 +128,17 @@ def group_membership_remove(request, group_id, user_id):
 
 
 @login_required
-@permission_required('auth.group_management')
+@user_passes_test(GroupManager.can_manage_groups)
 def group_accept_request(request, group_request_id):
     logger.debug("group_accept_request called by user %s for grouprequest id %s" % (request.user, group_request_id))
     try:
         group_request = GroupRequest.objects.get(id=group_request_id)
         group, created = Group.objects.get_or_create(name=group_request.group.name)
+
+        if not GroupManager.joinable_group(group_request.group) or \
+                not GroupManager.can_manage_group(request.user, group_request.group):
+            raise PermissionDenied
+
         group_request.user.groups.add(group)
         group_request.user.save()
         group_request.delete()
@@ -118,6 +148,11 @@ def group_accept_request(request, group_request_id):
                message="Your application to %s has been accepted." % group_request.group)
         messages.success(request,
                          'Accepted application from %s to %s.' % (group_request.main_char, group_request.group))
+
+    except PermissionDenied as p:
+        logger.warning("User %s attempted to accept group join request %s but permission was denied" %
+                       (request.user, group_request_id))
+        raise p
     except:
         messages.error(request, 'An unhandled error occurred while processing the application from %s to %s.' % (
             group_request.main_char, group_request.group))
@@ -129,12 +164,15 @@ def group_accept_request(request, group_request_id):
 
 
 @login_required
-@permission_required('auth.group_management')
+@user_passes_test(GroupManager.can_manage_groups)
 def group_reject_request(request, group_request_id):
     logger.debug("group_reject_request called by user %s for group request id %s" % (request.user, group_request_id))
     try:
         group_request = GroupRequest.objects.get(id=group_request_id)
 
+        if not GroupManager.can_manage_group(request.user, group_request.group):
+            raise PermissionDenied
+
         if group_request:
             logger.info("User %s rejected group request from user %s to group %s" % (
                 request.user, group_request.user, group_request.group.name))
@@ -143,6 +181,11 @@ def group_reject_request(request, group_request_id):
                    message="Your application to %s has been rejected." % group_request.group)
             messages.success(request,
                              'Rejected application from %s to %s.' % (group_request.main_char, group_request.group))
+
+    except PermissionDenied as p:
+        logger.warning("User %s attempted to reject group join request %s but permission was denied" %
+                       (request.user, group_request_id))
+        raise p
     except:
         messages.error(request, 'An unhandled error occured while processing the application from %s to %s.' % (
             group_request.main_char, group_request.group))
@@ -154,12 +197,16 @@ def group_reject_request(request, group_request_id):
 
 
 @login_required
-@permission_required('auth.group_management')
+@user_passes_test(GroupManager.can_manage_groups)
 def group_leave_accept_request(request, group_request_id):
     logger.debug(
         "group_leave_accept_request called by user %s for group request id %s" % (request.user, group_request_id))
     try:
         group_request = GroupRequest.objects.get(id=group_request_id)
+
+        if not GroupManager.can_manage_group(request.user, group_request.group):
+            raise PermissionDenied
+
         group, created = Group.objects.get_or_create(name=group_request.group.name)
         group_request.user.groups.remove(group)
         group_request.user.save()
@@ -170,6 +217,10 @@ def group_leave_accept_request(request, group_request_id):
                message="Your request to leave %s has been accepted." % group_request.group)
         messages.success(request,
                          'Accepted application from %s to leave %s.' % (group_request.main_char, group_request.group))
+    except PermissionDenied as p:
+        logger.warning("User %s attempted to accept group leave request %s but permission was denied" %
+                       (request.user, group_request_id))
+        raise p
     except:
         messages.error(request, 'An unhandled error occured while processing the application from %s to leave %s.' % (
             group_request.main_char, group_request.group))
@@ -181,13 +232,16 @@ def group_leave_accept_request(request, group_request_id):
 
 
 @login_required
-@permission_required('auth.group_management')
+@user_passes_test(GroupManager.can_manage_groups)
 def group_leave_reject_request(request, group_request_id):
     logger.debug(
         "group_leave_reject_request called by user %s for group request id %s" % (request.user, group_request_id))
     try:
         group_request = GroupRequest.objects.get(id=group_request_id)
 
+        if not GroupManager.can_manage_group(request.user, group_request.group):
+            raise PermissionDenied
+
         if group_request:
             group_request.delete()
             logger.info("User %s rejected group leave request from user %s for group %s" % (
@@ -196,6 +250,10 @@ def group_leave_reject_request(request, group_request_id):
                    message="Your request to leave %s has been rejected." % group_request.group)
             messages.success(request, 'Rejected application from %s to leave %s.' % (
                 group_request.main_char, group_request.group))
+    except PermissionDenied as p:
+        logger.warning("User %s attempted to reject group leave request %s but permission was denied" %
+                       (request.user, group_request_id))
+        raise p
     except:
         messages.error(request, 'An unhandled error occured while processing the application from %s to leave %s.' % (
             group_request.main_char, group_request.group))
diff --git a/stock/templates/public/base.html b/stock/templates/public/base.html
index 650d843a..d44a80c9 100755
--- a/stock/templates/public/base.html
+++ b/stock/templates/public/base.html
@@ -165,7 +165,7 @@
                             </li>
                         {% endif %}
 
-                        {% if perms.auth.group_management %}
+                        {% if can_manage_groups %}
                             <li>
                                 <a class="{% navactive request 'auth_group_management' %}" href="{% url 'auth_group_management' %}">
                                     <i class="fa fa-lock fa-sitemap fa-fw grayiconecolor"></i>{% trans " Group Management" %}

From c0ca73f9eaa27d6f8bf0d07a64f8987114f37e43 Mon Sep 17 00:00:00 2001
From: Basraah <basraaheve@gmail.com>
Date: Tue, 6 Dec 2016 20:18:13 +1000
Subject: [PATCH 09/10] Added info log when a user removes someone from a group

---
 groupmanagement/views.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/groupmanagement/views.py b/groupmanagement/views.py
index e79ab0da..99c88970 100755
--- a/groupmanagement/views.py
+++ b/groupmanagement/views.py
@@ -97,6 +97,7 @@ def group_membership_remove(request, group_id, user_id):
             user = group.user_set.get(id=user_id)
             # Remove group from user
             user.groups.remove(group)
+            logger.info("User %s removed user %s from group %s" % (request.user, user, group))
             messages.success(request, "Removed user %s from group %s" % (user, group))
         except ObjectDoesNotExist:
             messages.warning(request, "User does not exist in that group")

From 721708ee160ceb5cfed6f5b30dfb260b1daf3e67 Mon Sep 17 00:00:00 2001
From: Basraah <basraaheve@gmail.com>
Date: Thu, 8 Dec 2016 12:50:45 +1000
Subject: [PATCH 10/10] Add ordering to group member list

---
 groupmanagement/views.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/groupmanagement/views.py b/groupmanagement/views.py
index 4be2dab2..d0a00b4d 100755
--- a/groupmanagement/views.py
+++ b/groupmanagement/views.py
@@ -85,7 +85,7 @@ def group_membership_list(request, group_id):
 
     members = list()
 
-    for member in group.user_set.all():
+    for member in group.user_set.all().order_by('username'):
         authinfo = AuthServicesInfo.objects.get_or_create(user=member)[0]
 
         members.append({