Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User with change_xform ("Can edit") cannot delete submissions via API #509

Closed
jnm opened this issue Dec 18, 2018 · 1 comment
Closed

User with change_xform ("Can edit") cannot delete submissions via API #509

jnm opened this issue Dec 18, 2018 · 1 comment
Assignees
@jnm
Labels
bug

Comments

@jnm
Copy link
Member

jnm commented Dec 18, 2018

A user with change_xform can delete a submission by POSTing id=1234 to http://kc.kobo.local:9000/super/forms/[id_string for form with PK of 1]/delete_data, but the same user receives {"detail":"You do not have permission to perform this action."} when attempting to DELETE http://kc.kobo.local:9000/api/v1/data/1/1234.
@jnm jnm added the bug label Dec 18, 2018
@jnm jnm self-assigned this Dec 18, 2018
@jnm
Copy link
Member Author

jnm commented Dec 18, 2018

This call to get_object() ends up checking whether the user has logger.delete_xform, which they do not:

kobocat/onadata/apps/api/viewsets/data_viewset.py

Lines 573 to 574 in 97deab4

def destroy(self, request, *args, **kwargs):
self.object = self.get_object()

jnm added a commit that referenced this issue Dec 19, 2018
@jnm
Make the data API match the delete_data view
3655ec1 
by allowing those with the `change_xform` permission to delete submissions.
Fixes #509
jnm added a commit that referenced this issue Dec 19, 2018
@jnm
Make the data API match the delete_data view
ef43cc6 
by allowing those with the `change_xform` permission to delete submissions.
Fixes #509
@jnm jnm mentioned this issue Dec 19, 2018
Merged
@jnm jnm mentioned this issue Feb 12, 2019
Open
@jnm jnm closed this as completed in #510 Feb 12, 2019
@noliveleger noliveleger mentioned this issue Aug 23, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jnm jnm

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jnm