Disable form elements in action plan when not allowed to edit.

src/euphorie/client/browser/risk.py

@@ -1303,9 +1303,9 @@ def number_images(self):
 
     def __call__(self):
         super().__call__()
-        # Render the page only if the user has edit rights,
+        # Render the page only if the user has inspection rights,
         # otherwise redirect to the start page of the session.
-        if not self.webhelpers.can_edit_session:
+        if not self.webhelpers.can_inspect_session:
             return self.request.response.redirect(
                 "{session_url}/@@start".format(
                     session_url=self.webhelpers.traversed_session.absolute_url()
@@ -1360,16 +1360,17 @@ def __call__(self):
 
         if self.request.method == "POST":
             reply = self.request.form
-            session = Session()
-            context.comment = self.webhelpers.get_safe_html(reply.get("comment"))
-            context.priority = reply.get("priority")
-
-            new_plans, changes = self.extract_plans_from_request()
-            for plan in context.standard_measures + context.custom_measures:
-                session.delete(plan)
-            context.action_plans.extend(new_plans)
-            if changes:
-                self.session.touch()
+            if self.webhelpers.can_edit_session:
+                session = Session()
+                context.comment = self.webhelpers.get_safe_html(reply.get("comment"))
+                context.priority = reply.get("priority")
+
+                new_plans, changes = self.extract_plans_from_request()
+                for plan in context.standard_measures + context.custom_measures:
+                    session.delete(plan)
+                context.action_plans.extend(new_plans)
+                if changes:
+                    self.session.touch()
 
             _next = self._get_next(reply)
             if _next == "previous":

src/euphorie/client/browser/session.py

@@ -879,7 +879,7 @@ def skip_intro(self):
     def __call__(self):
         """Render the page only if the user has edit rights, otherwise redirect
         to the start page of the session."""
-        if not self.webhelpers.can_edit_session:
+        if not self.webhelpers.can_inspect_session:
             return self.request.response.redirect(
                 self.context.absolute_url() + "/@@start"
             )

src/euphorie/client/browser/templates/risk_actionplan.pt

@@ -70,7 +70,8 @@
               <tal:priority tal:define="
                               show_statement python:True;
                             ">
-                <fieldset tal:define="
+                <fieldset disabled="${python:'disabled' if not webhelpers.can_edit_session else None}"
+                          tal:define="
                             value context/priority;
                             readonly python:context.risk_type in ['top5'];
                             skip_evaluation view/skip_evaluation;

src/euphorie/client/browser/templates/webhelpers.pt

@@ -1146,7 +1146,9 @@
       </tal:actionplans>
     </div>
 
-    <div class="button-bar">
+    <div class="button-bar"
+         tal:condition="webhelpers/can_edit_session"
+    >
       <tal:solutions condition="solutions">
         <button class="pat-button icon-plus-circle pat-depends ${view/style_buttons}"
                 id="add-standard-measures"