misc: check nonstop.change_nonstopzonesetting permission for settings changes
authorFrédéric Péters <fpeters@0d.be>
Wed, 22 Jul 2020 15:21:59 +0000 (17:21 +0200)
committerFrédéric Péters <fpeters@0d.be>
Wed, 22 Jul 2020 15:21:59 +0000 (17:21 +0200)
nonstop/views.py

index bd2081d..6544b5d 100644 (file)
@@ -6,6 +6,7 @@ import tempfile
 
 import mutagen
 
+from django.core.exceptions import PermissionDenied
 from django.core.files.storage import default_storage
 from django.core.paginator import Paginator, EmptyPage, PageNotAnInteger
 from django.core.urlresolvers import reverse, reverse_lazy
@@ -581,7 +582,8 @@ class ZoneSettings(FormView):
         return initial
 
     def form_valid(self, form):
-        assert self.request.user.has_perm('nonstop.add_track')
+        if not self.request.user.has_perm('nonstop.change_nonstopzonesettings'):
+            raise PermissionDenied()
         zone = Nonstop.objects.get(slug=self.kwargs['slug'])
         zone_settings = zone.nonstopzonesettings_set.first()
         zone.start = form.cleaned_data['start']