From d82687aa20622614d75e275f673a15dcf337729b Mon Sep 17 00:00:00 2001 From: Hangzhi Yu <hangzhi@protonmail.com> Date: Thu, 8 Aug 2024 18:31:04 +0200 Subject: [PATCH] Move permission check when editing substitutions --- aleksis/apps/alsijil/models.py | 5 ++++- aleksis/apps/alsijil/schema/documentation.py | 3 --- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/aleksis/apps/alsijil/models.py b/aleksis/apps/alsijil/models.py index c85b285eb..ed1da5ee7 100644 --- a/aleksis/apps/alsijil/models.py +++ b/aleksis/apps/alsijil/models.py @@ -709,7 +709,10 @@ class Documentation(CalendarEvent): *cls.parse_dummy(_id), ), True - return cls.objects.get(id=_id), False + obj = cls.objects.get(id=_id) + if not user.has_perm("alsijil.edit_documentation_rule", obj): + raise PermissionDenied() + return obj, False def touch(self): """Ensure that participation statuses are created for this documentation.""" diff --git a/aleksis/apps/alsijil/schema/documentation.py b/aleksis/apps/alsijil/schema/documentation.py index 39eed04a4..4f6436297 100644 --- a/aleksis/apps/alsijil/schema/documentation.py +++ b/aleksis/apps/alsijil/schema/documentation.py @@ -110,9 +110,6 @@ class DocumentationBatchCreateOrUpdateMutation(graphene.Mutation): # is only introduced in Django 5.0 obj, __ = Documentation.get_or_create_by_id(_id, info.context.user) - if not info.context.user.has_perm("alsijil.edit_documentation_rule", obj): - raise PermissionDenied() - if doc.topic is not None: obj.topic = doc.topic if doc.homework is not None: -- GitLab