From d5bbadcf91139526fe99c0bcae364809a3e12dc6 Mon Sep 17 00:00:00 2001 From: miio Date: Sat, 4 Mar 2017 19:50:57 +0900 Subject: [PATCH 1/2] =?UTF-8?q?=E3=82=A4=E3=83=99=E3=83=B3=E3=83=88?= =?UTF-8?q?=E5=8F=82=E5=8A=A0=E8=80=85=E3=81=8C=E3=82=A4=E3=83=99=E3=83=B3?= =?UTF-8?q?=E3=83=88=E7=B7=A8=E9=9B=86=E3=81=A7=E3=81=8D=E3=82=8B=E3=82=88?= =?UTF-8?q?=E3=81=86=E3=81=AB?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/kawaz/apps/events/perms.py | 8 +++++++- src/kawaz/apps/events/tests/test_perms.py | 1 + 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/src/kawaz/apps/events/perms.py b/src/kawaz/apps/events/perms.py index f536435f..d8d52eb7 100644 --- a/src/kawaz/apps/events/perms.py +++ b/src/kawaz/apps/events/perms.py @@ -16,6 +16,12 @@ class EventPermissionLogic(PermissionLogic): - `events.quit_event` """ + def _change_event_perm(self, user_obj, perm, obj): + # non attendee cannot change the event + if not obj.attendees.filter(pk=user_obj.pk): + return False + return True + def _has_attend_perm(self, user_obj, perm, obj): # duplicated attendance is not permitted if obj.attendees.filter(pk=user_obj.pk): @@ -73,7 +79,7 @@ def author_required(user_obj, perm, obj): return obj.organizer == user_obj # object permission permission_methods = { - 'events.change_event': author_required, + 'events.change_event': self._change_event_perm, 'events.delete_event': author_required, 'events.attend_event': self._has_attend_perm, 'events.quit_event': self._has_quit_perm, diff --git a/src/kawaz/apps/events/tests/test_perms.py b/src/kawaz/apps/events/tests/test_perms.py index 58c1ca10..4a13a190 100644 --- a/src/kawaz/apps/events/tests/test_perms.py +++ b/src/kawaz/apps/events/tests/test_perms.py @@ -67,6 +67,7 @@ def test_change_permission_with_obj(self): self._test('wille', 'change', obj=self.event, neg=True) self._test('anonymous', 'change', obj=self.event, neg=True) self._test('organizer', 'change', obj=self.event) + self._test('attendee', 'change', obj=self.event) def test_delete_permission_without_obj(self): """ From fc7449f4ff428df764037fb56a8039877f2e341f Mon Sep 17 00:00:00 2001 From: Kohki Miki Date: Sun, 19 Mar 2017 21:21:41 +0900 Subject: [PATCH 2/2] Add tests to check delete permission --- src/kawaz/apps/events/tests/test_perms.py | 1 + 1 file changed, 1 insertion(+) diff --git a/src/kawaz/apps/events/tests/test_perms.py b/src/kawaz/apps/events/tests/test_perms.py index 4a13a190..8ad08938 100644 --- a/src/kawaz/apps/events/tests/test_perms.py +++ b/src/kawaz/apps/events/tests/test_perms.py @@ -93,6 +93,7 @@ def test_delete_permission_with_obj(self): self._test('wille', 'delete', obj=self.event, neg=True) self._test('anonymous', 'delete', obj=self.event, neg=True) self._test('organizer', 'delete', obj=self.event) + self._test('attendee', 'delete', obj=self.event, neg=True) def test_attend_permission_without_obj(self): """