diff --git a/src/kawaz/apps/events/perms.py b/src/kawaz/apps/events/perms.py index f536435f..d8d52eb7 100644 --- a/src/kawaz/apps/events/perms.py +++ b/src/kawaz/apps/events/perms.py @@ -16,6 +16,12 @@ class EventPermissionLogic(PermissionLogic): - `events.quit_event` """ + def _change_event_perm(self, user_obj, perm, obj): + # non attendee cannot change the event + if not obj.attendees.filter(pk=user_obj.pk): + return False + return True + def _has_attend_perm(self, user_obj, perm, obj): # duplicated attendance is not permitted if obj.attendees.filter(pk=user_obj.pk): @@ -73,7 +79,7 @@ def author_required(user_obj, perm, obj): return obj.organizer == user_obj # object permission permission_methods = { - 'events.change_event': author_required, + 'events.change_event': self._change_event_perm, 'events.delete_event': author_required, 'events.attend_event': self._has_attend_perm, 'events.quit_event': self._has_quit_perm, diff --git a/src/kawaz/apps/events/tests/test_perms.py b/src/kawaz/apps/events/tests/test_perms.py index 58c1ca10..8ad08938 100644 --- a/src/kawaz/apps/events/tests/test_perms.py +++ b/src/kawaz/apps/events/tests/test_perms.py @@ -67,6 +67,7 @@ def test_change_permission_with_obj(self): self._test('wille', 'change', obj=self.event, neg=True) self._test('anonymous', 'change', obj=self.event, neg=True) self._test('organizer', 'change', obj=self.event) + self._test('attendee', 'change', obj=self.event) def test_delete_permission_without_obj(self): """ @@ -92,6 +93,7 @@ def test_delete_permission_with_obj(self): self._test('wille', 'delete', obj=self.event, neg=True) self._test('anonymous', 'delete', obj=self.event, neg=True) self._test('organizer', 'delete', obj=self.event) + self._test('attendee', 'delete', obj=self.event, neg=True) def test_attend_permission_without_obj(self): """