From afbc67c413deff5b6924757331fd8430a79c50ea Mon Sep 17 00:00:00 2001
From: Emmy D'Anello <emmy.danello@animath.fr>
Date: Sat, 16 Mar 2024 07:31:19 +0100
Subject: [PATCH] Let coaches update payment of the team

Signed-off-by: Emmy D'Anello <emmy.danello@animath.fr>
---
 registration/views.py | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/registration/views.py b/registration/views.py
index e74c337..b959ac3 100644
--- a/registration/views.py
+++ b/registration/views.py
@@ -449,9 +449,13 @@ class PaymentUpdateView(LoginRequiredMixin, UpdateView):
     form_class = PaymentAdminForm
 
     def dispatch(self, request, *args, **kwargs):
-        if not self.request.user.is_authenticated or \
-                not self.request.user.registration.is_admin \
-                and self.request.user.registration not in self.get_object().registrations.all():
+        user = self.request.user
+        object = self.get_object()
+        if not user.is_authenticated or \
+                not user.registration.is_admin \
+                and (user.registration.is_volunteer and user.registration in object.tournament.organizers.all()
+                     or user.registration.is_student and user.registration not in object.registrations.all()
+                     or user.registration.is_coach and user.registration.team != object.team):
             return self.handle_no_permission()
         return super().dispatch(request, *args, **kwargs)