Allow group owners to see their members.

To be more precise, a user can see a person if it is a member of any group they are an owner of.

Allow group owners to see their members.
0ebe33cf · Nik | Klampfradler · 1faa8812 · 0ebe33cf
Verified Commit 0ebe33cf authored 7 years ago by Nik | Klampfradler
--- a/ticdesk_org/util.py
+++ b/ticdesk_org/util.py
@@ -51,6 +51,10 @@ def may_see_person(person, user):
    if user.is_paeda:
        return True
+    # Owners of groups can see their members
+    if set(user.groups_owner) & set(person.groups_member):
+        return True
    # Secure fallback to False
    logger.warning("%s tried to access disallowed person %s" % (user.uid, person.dn))
    return False