From: Frédéric Péters <fpeters@0d.be>
Date: Wed, 22 Jul 2020 15:21:59 +0000 (+0200)
Subject: misc: check nonstop.change_nonstopzonesetting permission for settings changes
X-Git-Tag: v2021~105
X-Git-Url: https://git.0d.be/?p=django-panik-nonstop.git;a=commitdiff_plain;h=64d16aea29f0bdcab9f9bc1619de39c391205882

misc: check nonstop.change_nonstopzonesetting permission for settings changes
---

diff --git a/nonstop/views.py b/nonstop/views.py
index bd2081d..6544b5d 100644
--- a/nonstop/views.py
+++ b/nonstop/views.py
@@ -6,6 +6,7 @@ import tempfile
 
 import mutagen
 
+from django.core.exceptions import PermissionDenied
 from django.core.files.storage import default_storage
 from django.core.paginator import Paginator, EmptyPage, PageNotAnInteger
 from django.core.urlresolvers import reverse, reverse_lazy
@@ -581,7 +582,8 @@ class ZoneSettings(FormView):
         return initial
 
     def form_valid(self, form):
-        assert self.request.user.has_perm('nonstop.add_track')
+        if not self.request.user.has_perm('nonstop.change_nonstopzonesettings'):
+            raise PermissionDenied()
         zone = Nonstop.objects.get(slug=self.kwargs['slug'])
         zone_settings = zone.nonstopzonesettings_set.first()
         zone.start = form.cleaned_data['start']