1
0
mirror of https://gitlab.crans.org/bde/nk20 synced 2024-11-26 18:37:12 +00:00

Fix permission checks in the /api/me view

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
This commit is contained in:
Yohann D'ANELLO 2022-03-09 11:45:24 +01:00
parent d9b4e0a9a9
commit 58136f3c48
Signed by: ynerant
GPG Key ID: 3A75C55819C8CF85

View File

@ -60,12 +60,12 @@ class OAuthSerializer(serializers.ModelSerializer):
def get_profile(self, obj): def get_profile(self, obj):
# Display the profile of the user only if we have rights to see it. # Display the profile of the user only if we have rights to see it.
return ProfileSerializer().to_representation(obj.profile) \ return ProfileSerializer().to_representation(obj.profile) \
if PermissionBackend.has_perm(get_current_request(), obj.profile, 'view') else None if PermissionBackend.check_perm(get_current_request(), 'member.view_profile', obj.profile) else None
def get_note(self, obj): def get_note(self, obj):
# Display the note of the user only if we have rights to see it. # Display the note of the user only if we have rights to see it.
return NoteSerializer().to_representation(obj.note) \ return NoteSerializer().to_representation(obj.note) \
if PermissionBackend.has_perm(get_current_request(), obj.note, 'view') else None if PermissionBackend.check_perm(get_current_request(), 'note.view_note', obj.note) else None
def get_memberships(self, obj): def get_memberships(self, obj):
# Display only memberships that we are allowed to see. # Display only memberships that we are allowed to see.