Fixted permissions for editing an application

The suppmitter could edit an application after it was finished by
manipulating the url
This commit is contained in:
Oskar Hahn 2012-09-13 12:09:17 +02:00
parent b15d70d13d
commit 48a992119a

View File

@ -182,8 +182,8 @@ def edit(request, application_id=None):
return redirect(reverse('application_overview'))
if application_id is not None:
application = Application.objects.get(id=application_id)
if not request.user == application.submitter and not is_manager:
messages.error(request, _("You can not edit this motion. You are not the submitter."))
if not 'edit' in application.get_allowed_actions(request.user):
messages.error(request, _("You can not edit this motion."))
return redirect(reverse('application_view', args=[application.id]))
actions = application.get_allowed_actions(user=request.user)
else: