[orga] Restrict permissions

Previously, people with the "can change submissions" permission but without the "can change event settings" permission were allowed to do a lot of things, such as changing the cfp. Now they are allowed less things, and restricted to a read-only mode on many occasions. Closes #633
pretalx · Mar 17, 2019 · b37d3ac · b37d3ac
1 parent 4da7a38
commit b37d3ac
Showing 1 changed file with 8 additions and 8 deletions.
diff --git a/src/pretalx/orga/permissions.py b/src/pretalx/orga/permissions.py
@@ -97,17 +97,17 @@ def can_view_speaker_names(user, obj):
 rules.add_perm('orga.view_organisers', can_change_any_organiser_settings)
 rules.add_perm('orga.change_teams', is_administrator | can_change_teams)
 rules.add_perm('orga.view_submission_cards', can_change_submissions)
-rules.add_perm('orga.edit_cfp', can_change_submissions)
+rules.add_perm('orga.edit_cfp', can_change_event_settings)
 rules.add_perm('orga.view_question', can_change_submissions)
-rules.add_perm('orga.edit_question', can_change_submissions)
-rules.add_perm('orga.remove_question', can_change_submissions)
+rules.add_perm('orga.edit_question', can_change_event_settings)
+rules.add_perm('orga.remove_question', can_change_event_settings)
 rules.add_perm('orga.view_submission_type', can_change_submissions)
-rules.add_perm('orga.edit_submission_type', can_change_submissions)
-rules.add_perm('orga.remove_submission_type', can_change_submissions)
+rules.add_perm('orga.edit_submission_type', can_change_event_settings)
+rules.add_perm('orga.remove_submission_type', can_change_event_settings)
 rules.add_perm('orga.view_tracks', can_change_submissions)
 rules.add_perm('orga.view_track', can_change_submissions)
-rules.add_perm('orga.edit_track', can_change_submissions)
-rules.add_perm('orga.remove_track', can_change_submissions)
+rules.add_perm('orga.edit_track', can_change_event_settings)
+rules.add_perm('orga.remove_track', can_change_event_settings)
 rules.add_perm('orga.view_mails', can_change_submissions)
 rules.add_perm('orga.send_mails', can_change_submissions)
 rules.add_perm('orga.edit_mails', can_change_submissions & can_edit_mail)
@@ -133,7 +133,7 @@ def can_view_speaker_names(user, obj):
 rules.add_perm('orga.change_submissions', can_change_submissions)
 rules.add_perm('orga.change_submission_state', can_change_submissions | (is_reviewer & reviewer_can_change_submissions))
 rules.add_perm('orga.view_information', can_change_submissions)
-rules.add_perm('orga.change_information', can_change_submissions)
+rules.add_perm('orga.change_information', can_change_event_settings)
 rules.add_perm('orga.create_events', can_create_events)
 rules.add_perm('orga.change_plugins', is_administrator)
 rules.add_perm('orga.mark_speakers_arrived', can_change_submissions & can_mark_speakers_arrived)