fix: Handle AnonymousUser in has_event_perm template tag and ScheduleView

[ArnavBallinCode]

• Added is_authenticated check in has_event_perm template tag before calling User.has_perm(), which requires permission_cache attribute
• Added is_authenticated check in ScheduleView.dispatch before checking has_perm for featured submissions redirect

Earlier AnonymousUser doesn't have the permission_cache attribute

Fixes #1503

Summary by Sourcery

Handle anonymous users safely in permission checks for schedule view and event permission template tag.

Bug Fixes:

• Prevent errors when evaluating has_event_perm for AnonymousUser in templates by returning False early.
• Avoid accessing permissions on AnonymousUser in ScheduleView.dispatch before checking authentication status.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Ensure permission checks for schedule viewing and template tag usage safely handle AnonymousUser instances by gating permission logic behind is_authenticated checks.

Sequence diagram for updated ScheduleView.dispatch permission handling

sequenceDiagram
    actor AnonymousUser as AnonymousUser
    participant Browser as Browser
    participant ScheduleView as ScheduleView
    participant PermissionSystem as PermissionSystem
    participant Messages as Messages

    AnonymousUser->>Browser: Request schedule page
    Browser->>ScheduleView: HTTP GET /schedule
    ScheduleView->>ScheduleView: has_permission()
    alt has_permission returns false
        ScheduleView->>ScheduleView: check request.user.is_authenticated
        alt user is authenticated
            ScheduleView->>PermissionSystem: has_perm(list_featured_submission, event)
            alt user has permission
                ScheduleView->>Messages: messages.success("Our schedule is not live yet.")
                ScheduleView-->>Browser: Redirect to featured submissions
            else user lacks permission
                ScheduleView-->>Browser: Normal response without redirect
            end
        else user is AnonymousUser
            ScheduleView-->>Browser: Normal response without redirect
        end
    else has_permission returns true
        ScheduleView-->>Browser: Normal schedule response
    end

Loading

Sequence diagram for updated has_event_perm template tag

sequenceDiagram
    participant Template as DjangoTemplate
    participant Tag as has_event_perm
    participant AdminMode as is_admin_mode_active
    participant UserClass as User

    Template->>Tag: has_event_perm(perm, user, request, obj)
    Tag->>Tag: check user.is_authenticated
    alt user is not authenticated
        Tag-->>Template: False
    else user is authenticated
        Tag->>AdminMode: is_admin_mode_active(request)
        alt admin mode active
            Tag-->>Template: True
        else admin mode not active
            Tag->>UserClass: has_perm(user, perm, obj)
            UserClass-->>Tag: permission_result
            Tag-->>Template: permission_result
        end
    end

Loading

File-Level Changes

Change	Details	Files
Harden schedule view dispatch permission check against AnonymousUser.	Extend the dispatch condition to first verify request.user.is_authenticated before calling has_perm for featured submissions. Preserve existing behaviour for authenticated users with list_featured_submission permission while avoiding attribute errors for anonymous users.	app/eventyay/agenda/views/schedule.py
Guard has_event_perm template tag against AnonymousUser usage.	Introduce an early return of False when the provided user is not authenticated. Leave the existing admin-mode or User.has_perm-based permission resolution unchanged for authenticated users.	app/eventyay/orga/templatetags/staff_session.py

Assessment against linked issues

Issue	Objective	Addressed	Explanation
#1503	Prevent crashes when an anonymous (not logged-in) user visits CFP-related pages by ensuring permission checks do not access attributes (like permission_cache) that AnonymousUser lacks.	✅

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey there - I've reviewed your changes - here's some feedback:

• In ScheduleView.dispatch, the condition mixes request.user and self.request.user; consider using a single source consistently (e.g., request.user) to avoid subtle discrepancies or future confusion.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- In `ScheduleView.dispatch`, the condition mixes `request.user` and `self.request.user`; consider using a single source consistently (e.g., `request.user`) to avoid subtle discrepancies or future confusion.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.