From d82687aa20622614d75e275f673a15dcf337729b Mon Sep 17 00:00:00 2001
From: Hangzhi Yu <hangzhi@protonmail.com>
Date: Thu, 8 Aug 2024 18:31:04 +0200
Subject: [PATCH] Move permission check when editing substitutions

---
 aleksis/apps/alsijil/models.py               | 5 ++++-
 aleksis/apps/alsijil/schema/documentation.py | 3 ---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/aleksis/apps/alsijil/models.py b/aleksis/apps/alsijil/models.py
index c85b285eb..ed1da5ee7 100644
--- a/aleksis/apps/alsijil/models.py
+++ b/aleksis/apps/alsijil/models.py
@@ -709,7 +709,10 @@ class Documentation(CalendarEvent):
                 *cls.parse_dummy(_id),
             ), True
 
-        return cls.objects.get(id=_id), False
+        obj = cls.objects.get(id=_id)
+        if not user.has_perm("alsijil.edit_documentation_rule", obj):
+            raise PermissionDenied()
+        return obj, False
 
     def touch(self):
         """Ensure that participation statuses are created for this documentation."""
diff --git a/aleksis/apps/alsijil/schema/documentation.py b/aleksis/apps/alsijil/schema/documentation.py
index 39eed04a4..4f6436297 100644
--- a/aleksis/apps/alsijil/schema/documentation.py
+++ b/aleksis/apps/alsijil/schema/documentation.py
@@ -110,9 +110,6 @@ class DocumentationBatchCreateOrUpdateMutation(graphene.Mutation):
         # is only introduced in Django 5.0
         obj, __ = Documentation.get_or_create_by_id(_id, info.context.user)
 
-        if not info.context.user.has_perm("alsijil.edit_documentation_rule", obj):
-            raise PermissionDenied()
-
         if doc.topic is not None:
             obj.topic = doc.topic
         if doc.homework is not None:
-- 
GitLab