From b829f0a20a608a02b08e88ac5a392e66c777a7cf Mon Sep 17 00:00:00 2001
From: Roberto Rosario <roberto.rosario.gonzalez@gmail.com>
Date: Tue, 16 Apr 2019 01:06:50 -0400
Subject: [PATCH] Update group members view required permissions

Signed-off-by: Roberto Rosario <roberto.rosario.gonzalez@gmail.com>
---
 HISTORY.rst                         |  2 ++
 docs/releases/3.2.rst               |  2 ++
 mayan/apps/user_management/views.py | 18 +++++++++++++++---
 3 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/HISTORY.rst b/HISTORY.rst
index 712569f245..7258695062 100644
--- a/HISTORY.rst
+++ b/HISTORY.rst
@@ -82,6 +82,8 @@
 * Move Tag app HTML widgets to their own module.
 * Move the document index app widgets to the html_widget.py
   module.
+* Update group members view permission. The group edit and 
+  user edit permission are now required.
 
 3.1.11 (2019-04-XX)
 ===================
diff --git a/docs/releases/3.2.rst b/docs/releases/3.2.rst
index dabc4097ed..b1e50a6b17 100644
--- a/docs/releases/3.2.rst
+++ b/docs/releases/3.2.rst
@@ -114,6 +114,8 @@ Other changes
 * Move Tag app HTML widgets to their own module.
 * Move the document index app widgets to the html_widget.py
   module.
+* Update group members view permission. The group edit and
+  user edit permission are now required.
 
 Removals
 --------
diff --git a/mayan/apps/user_management/views.py b/mayan/apps/user_management/views.py
index f945bc738a..e0a33343c2 100644
--- a/mayan/apps/user_management/views.py
+++ b/mayan/apps/user_management/views.py
@@ -12,6 +12,7 @@ from django.template import RequestContext
 from django.urls import reverse, reverse_lazy
 from django.utils.translation import ungettext, ugettext_lazy as _
 
+from mayan.apps.acls.models import AccessControlList
 from mayan.apps.common.views import (
     AssignRemoveView, MultipleObjectConfirmActionView,
     MultipleObjectFormActionView, SingleObjectCreateView,
@@ -114,16 +115,27 @@ class GroupMembersView(AssignRemoveView):
     def get_object(self):
         return get_object_or_404(klass=Group, pk=self.kwargs['pk'])
 
+    def get_choices_queryset(self):
+        return AccessControlList.objects.filter_by_access(
+            permission=permission_user_edit,
+            queryset=get_user_model().objects.exclude(
+                is_staff=True
+            ).exclude(is_superuser=True),
+            user=self.request.user
+        )
+
     def left_list(self):
         return GroupMembersView.generate_choices(
-            get_user_model().objects.exclude(
+            self.get_choices_queryset().exclude(
                 groups=self.get_object()
-            ).exclude(is_staff=True).exclude(is_superuser=True)
+            )
         )
 
     def right_list(self):
         return GroupMembersView.generate_choices(
-            self.get_object().user_set.all()
+            self.get_choices_queryset().filter(
+                pk__in=self.get_object().user_set.all()
+            )
         )
 
     def remove(self, item):