Merge pull request #569 from kobotoolbox/568-user-cannot-validate-wit…

…h-validate-xform

Non-owner users with 'validation_xform' permissions cannot validate submissions.

onadata/apps/api/permissions.py

@@ -3,7 +3,7 @@
 from rest_framework.permissions import IsAuthenticated
 
 from onadata.libs.permissions import CAN_ADD_XFORM_TO_PROFILE
-from onadata.libs.permissions import CAN_CHANGE_XFORM
+from onadata.libs.permissions import CAN_CHANGE_XFORM, CAN_VALIDATE_XFORM
 from onadata.apps.api.tools import get_user_profile_or_none, \
     check_inherit_permission_from_project
 from onadata.apps.logger.models import XForm
@@ -73,9 +73,13 @@ def has_object_permission(self, request, view, obj):
 
         if request.method == 'DELETE' and view.action == 'labels':
             user = request.user
-
             return user.has_perms([CAN_CHANGE_XFORM], obj)
 
+        if request.method in ['PATCH', 'DELETE'] \
+                and view.action.endswith('validation_status'):
+            user = request.user
+            return user.has_perms([CAN_VALIDATE_XFORM], obj)
+
         return super(XFormPermissions, self).has_object_permission(
             request, view, obj)