Team member don't have access to other people authorizations

This commit is contained in:
Yohann D'ANELLO 2021-03-28 20:09:29 +02:00
parent 35863c4bda
commit a45d57e51a
Signed by: ynerant
GPG Key ID: 3A75C55819C8CF85
2 changed files with 3 additions and 2 deletions

View File

@ -101,11 +101,13 @@
</dd> </dd>
</dl> </dl>
{% if user.registration.is_volunteer %}
<div class="text-center"> <div class="text-center">
<a class="btn btn-info" href="{% url "participation:team_authorizations" pk=team.pk %}" data-turbolinks="false"> <a class="btn btn-info" href="{% url "participation:team_authorizations" pk=team.pk %}" data-turbolinks="false">
<i class="fas fa-file-archive"></i> {% trans "Download all submitted authorizations" %} <i class="fas fa-file-archive"></i> {% trans "Download all submitted authorizations" %}
</a> </a>
</div> </div>
{% endif %}
</div> </div>
<div class="card-footer text-center"> <div class="card-footer text-center">
<button class="btn btn-primary" data-toggle="modal" data-target="#updateTeamModal">{% trans "Update" %}</button> <button class="btn btn-primary" data-toggle="modal" data-target="#updateTeamModal">{% trans "Update" %}</button>

View File

@ -372,8 +372,7 @@ class TeamAuthorizationsView(LoginRequiredMixin, DetailView):
user = request.user user = request.user
if not user.is_authenticated: if not user.is_authenticated:
return super().handle_no_permission() return super().handle_no_permission()
if user.registration.is_admin or user.registration.participates and user.registration.team.pk == kwargs["pk"] \ if user.registration.is_admin or user.registration.is_volunteer \
or user.registration.is_volunteer \
and self.get_object().participation.tournament in user.registration.interesting_tournaments: and self.get_object().participation.tournament in user.registration.interesting_tournaments:
return super().dispatch(request, *args, **kwargs) return super().dispatch(request, *args, **kwargs)
raise PermissionDenied raise PermissionDenied