[ENG-8516] osf admin can update contributor permission for any resource (#11407)

ihorsokhanexoft · web-flow · commit 966f8e7a076f · 2025-11-06T15:06:09.000-05:00
diff --git a/admin/nodes/views.py b/admin/nodes/views.py
@@ -299,7 +299,8 @@ def post(self, request, *args, **kwargs):
                 permission,
                 resource.get_visible(user),
                 request,
-                save=True
+                save=True,
+                skip_permission=True
             )
 
         return redirect(self.get_success_url())
diff --git a/osf/models/mixins.py b/osf/models/mixins.py
@@ -1644,7 +1644,7 @@ def copy_unclaimed_records(self, resource):
                 contributor.save()
 
     # TODO: optimize me
-    def update_contributor(self, user, permission, visible, auth, save=False):
+    def update_contributor(self, user, permission, visible, auth, save=False, skip_permission=False):
         """ TODO: this method should be updated as a replacement for the main loop of
         Node#manage_contributors. Right now there are redundancies, but to avoid major
         feature creep this will not be included as this time.
@@ -1653,7 +1653,7 @@ def update_contributor(self, user, permission, visible, auth, save=False):
         """
         OSFUser = apps.get_model('osf.OSFUser')
 
-        if not self.has_permission(auth.user, ADMIN):
+        if not skip_permission and not self.has_permission(auth.user, ADMIN):
             raise PermissionsError('Only admins can modify contributor permissions')
 
         if permission:

Original file line number	Diff line number	Diff line change
`@@ -299,7 +299,8 @@ def post(self, request, args, *kwargs):`
`299`	`299`	`permission,`
`300`	`300`	`resource.get_visible(user),`
`301`	`301`	`request,`
`302`		`- save=True`
	`302`	`+ save=True,`
	`303`	`+ skip_permission=True`
`303`	`304`	`)`
`304`	`305`
`305`	`306`	`return redirect(self.get_success_url())`