dashboard: fix permission check in AclUpdateView

40e3d8d4 · Bach Dániel · 6d5826d5 · 40e3d8d4
Commit 40e3d8d4 authored Jul 22, 2014 by Bach Dániel
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 2 deletions

circle/dashboard/views.py
+5 -2

No files found.
--- a/circle/dashboard/views.py
+++ b/circle/dashboard/views.py
@@ -1118,10 +1118,12 @@ class AclUpdateView(LoginRequiredMixin, View, SingleObjectMixin):
    def check_auth(self, whom, old_level, new_level):
        if isinstance(whom, Group):
-            if whom not in AclUpdateView.get_allowed_groups(self.request.user):
+            if (not self.is_owner and whom not in
+                    AclUpdateView.get_allowed_groups(self.request.user)):
                return False
        elif isinstance(whom, User):
-            if whom not in AclUpdateView.get_allowed_users(self.request.user):
+            if (not self.is_owner and whom not in
+                    AclUpdateView.get_allowed_users(self.request.user)):
                return False
        return (
            AclUpdateView.has_next_level(self.request.user,
@@ -1184,6 +1186,7 @@ class AclUpdateView(LoginRequiredMixin, View, SingleObjectMixin):
    def post(self, request, *args, **kwargs):
        self.instance = self.get_object()
+        self.is_owner = self.instance.has_level(request.user, 'owner')
        self.acl_data = (self.instance.get_users_with_level() +
                         self.instance.get_groups_with_level())
        self.set_or_remove_levels()