From 5dbb1a70bc663e70a7d6a74d9b3d78ee5b93f4d4 Mon Sep 17 00:00:00 2001
From: Professor Colin Turner <c.turner@ulster.ac.uk>
Date: Thu, 8 Jan 2026 17:05:32 +0000
Subject: [PATCH 1/2] We don't want the new School, Faculty, Campus entities to
 be required in validation.

---
 loads/models.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/loads/models.py b/loads/models.py
index 8b11b63..0ba580c 100644
--- a/loads/models.py
+++ b/loads/models.py
@@ -655,9 +655,9 @@ class Staff(models.Model):
     is_external = models.BooleanField(default=False)
     has_workload = models.BooleanField(default=True)
     job_title = models.CharField(max_length=100, null=True, blank=True)
-    school = models.ForeignKey(School, null=True, on_delete=models.SET_NULL)
-    faculty = models.ForeignKey(Faculty, null=True, on_delete=models.SET_NULL)
-    campus = models.ForeignKey(Campus, null=True, on_delete=models.SET_NULL)
+    school = models.ForeignKey(School, null=True, blank=True, on_delete=models.SET_NULL)
+    faculty = models.ForeignKey(Faculty, null=True, blank=True, on_delete=models.SET_NULL)
+    campus = models.ForeignKey(Campus, null=True, blank=True, on_delete=models.SET_NULL)
     package = models.ForeignKey(WorkPackage, null=True, on_delete=models.SET_NULL)
 
     objects = StaffManager()

From f35c419a53bff0859b1d8e27faeb768ece270477 Mon Sep 17 00:00:00 2001
From: Professor Colin Turner <c.turner@ulster.ac.uk>
Date: Thu, 8 Jan 2026 17:36:40 +0000
Subject: [PATCH 2/2] Ensure groups with permissions cannot be added on user
 creation.

---
 loads/views.py | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/loads/views.py b/loads/views.py
index f84f6fe..b52b47f 100644
--- a/loads/views.py
+++ b/loads/views.py
@@ -22,7 +22,7 @@
 from django.utils.decorators import method_decorator
 from django.http import HttpResponse, HttpResponseRedirect
 from django.template import loader
-from django.contrib.auth.models import User, Group
+from django.contrib.auth.models import User, Group, Permission
 
 from .models import ActivityGenerator, Category
 from .models import AssessmentResource
@@ -964,9 +964,18 @@ def create_staff_user(request):
     if request.method == 'POST':
         form = StaffCreationForm(request.POST)
         if form.is_valid():
-            form.save()
             new_username = form.cleaned_data['username']
+            groups = form.cleaned_data['groups']
+
+            for group in groups:
+                permissions = group.permissions.all()
+                logger.debug("[%s] checking group %s with %u permissions" % (request.user, group, permissions.count()))
+                if permissions.count() > 0:
+                    logger.critical(
+                        "[%s] cannot add group %s with built in permissions" % (request.user, group))
+                    raise PermissionDenied(f"Cannot add group '{group.name}' as it has built in permissions")
 
+            form.save()
             messages.success(request, 'Account created successfully')
 
             logger.info("[%s] (admin) created a staff user %s" % (request.user, new_username), extra={'form': form})