moanos/Notfellchen
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: Ensure users of higher trust level are also allowed

Browse Source
This commit is contained in:
moanos [he/him]
2025-08-10 17:51:25 +02:00
parent 2a9c7cf854
commit 23a724e390
1 changed files with 5 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/fellchensammlung/views.py
View File

@@ -44,8 +44,11 @@ def user_is_trust_level_or_above(user, trust_level=TrustLevel.MODERATOR):
def user_is_owner_or_trust_level(user, django_object, trust_level=TrustLevel.MODERATOR): def user_is_owner_or_trust_level(user, django_object, trust_level=TrustLevel.MODERATOR):
"""
Checks if a user is either the owner of a record or has a trust level equal or higher than the given one
"""
return user.is_authenticated and ( return user.is_authenticated and (
user.trust_level == trust_level or django_object.owner == user) user.trust_level >= trust_level or django_object.owner == user)
def fail_if_user_not_owner_or_trust_level(user, django_object, trust_level=TrustLevel.MODERATOR): def fail_if_user_not_owner_or_trust_level(user, django_object, trust_level=TrustLevel.MODERATOR):
@@ -568,7 +571,7 @@ def user_detail(request, user, token=None):
def user_by_id(request, user_id): def user_by_id(request, user_id):
user = User.objects.get(id=user_id) user = User.objects.get(id=user_id)
# Only users that are mods or owners of the user are allowed to view # Only users that are mods or owners of the user are allowed to view
fail_if_user_not_owner_or_trust_level(request.user, user) fail_if_user_not_owner_or_trust_level(user=request.user, django_object=user, trust_level=TrustLevel.MODERATOR)
if user == request.user: if user == request.user:
return my_profile(request) return my_profile(request)
else: else: