misc: check nonstop.change_nonstopzonesetting permission for settings changes

author Frédéric Péters <fpeters@0d.be>

Wed, 22 Jul 2020 15:21:59 +0000 (17:21 +0200)

committer Frédéric Péters <fpeters@0d.be>

Wed, 22 Jul 2020 15:21:59 +0000 (17:21 +0200)
author Frédéric Péters <fpeters@0d.be>
Wed, 22 Jul 2020 15:21:59 +0000 (17:21 +0200)
committer Frédéric Péters <fpeters@0d.be>
Wed, 22 Jul 2020 15:21:59 +0000 (17:21 +0200)
diff --git a/nonstop/views.py b/nonstop/views.py

index bd2081dccef6c836658fe418dd132fd16b1adc4a..6544b5d059c1aad169e0559936cb6d4165656923 100644 (file)
--- a/nonstop/views.py
+++ b/nonstop/views.py
@@ -6,6 +6,7 @@ import tempfile
  
  import mutagen
  
+from django.core.exceptions import PermissionDenied
  from django.core.files.storage import default_storage
  from django.core.paginator import Paginator, EmptyPage, PageNotAnInteger
  from django.core.urlresolvers import reverse, reverse_lazy
@@ -581,7 +582,8 @@ class ZoneSettings(FormView):
          return initial
  
      def form_valid(self, form):
-        assert self.request.user.has_perm('nonstop.add_track')
+        if not self.request.user.has_perm('nonstop.change_nonstopzonesettings'):
+            raise PermissionDenied()
          zone = Nonstop.objects.get(slug=self.kwargs['slug'])
          zone_settings = zone.nonstopzonesettings_set.first()
          zone.start = form.cleaned_data['start']
author	Frédéric Péters <fpeters@0d.be>
	Wed, 22 Jul 2020 15:21:59 +0000 (17:21 +0200)
committer	Frédéric Péters <fpeters@0d.be>
	Wed, 22 Jul 2020 15:21:59 +0000 (17:21 +0200)