aa: also check permissions in views

author Frédéric Péters <fpeters@0d.be>

Wed, 24 Mar 2021 18:54:09 +0000 (19:54 +0100)

committer Frédéric Péters <fpeters@0d.be>

Wed, 24 Mar 2021 18:54:09 +0000 (19:54 +0100)
author Frédéric Péters <fpeters@0d.be>
Wed, 24 Mar 2021 18:54:09 +0000 (19:54 +0100)
committer Frédéric Péters <fpeters@0d.be>
Wed, 24 Mar 2021 18:54:09 +0000 (19:54 +0100)
diff --git a/panikdb/aa/views.py b/panikdb/aa/views.py

index e54d7ef291750c138e6f10dd1c8db32e96c4f5a2..75f635820cf9b092aac5840d3763cee063b3057b 100644 (file)
--- a/panikdb/aa/views.py
+++ b/panikdb/aa/views.py
@@ -119,7 +119,7 @@ class MemberEditView(UpdateView):
      form_class = MemberEditForm
  
      def get_object(self):
-        if not self.request.user.is_staff:
+        if not self.request.user.has_perm('aa.add_user'):
              raise PermissionDenied()
          return super().get_object()
  
@@ -135,7 +135,7 @@ class MemberCreateView(CreateView):
      form_class = MemberCreateForm
  
      def get_object(self):
-        if not self.request.user.is_staff:
+        if not self.request.user.has_perm('aa.add_user'):
              raise PermissionDenied()
          return super().get_object()
  
@@ -177,7 +177,7 @@ member_emissions = login_required(MemberEmissionsView.as_view())
  
  class MemberEmissionRemoveView(RedirectView):
      def get_redirect_url(self, *args, **kwargs):
-        if not self.request.user.is_staff:
+        if not self.request.user.has_perm('aa.add_user'):
              raise PermissionDenied()
          member = User.objects.get(id=kwargs['pk'])
          member.emissions.remove(kwargs['em_pk'])
author	Frédéric Péters <fpeters@0d.be>
	Wed, 24 Mar 2021 18:54:09 +0000 (19:54 +0100)
committer	Frédéric Péters <fpeters@0d.be>
	Wed, 24 Mar 2021 18:54:09 +0000 (19:54 +0100)