From 48a992119afa44d7f03a926393eb6acd99d3c10a Mon Sep 17 00:00:00 2001 From: Oskar Hahn Date: Thu, 13 Sep 2012 12:09:17 +0200 Subject: [PATCH] Fixted permissions for editing an application The suppmitter could edit an application after it was finished by manipulating the url --- openslides/application/views.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openslides/application/views.py b/openslides/application/views.py index 34f47b201..18bef8a1b 100644 --- a/openslides/application/views.py +++ b/openslides/application/views.py @@ -182,8 +182,8 @@ def edit(request, application_id=None): return redirect(reverse('application_overview')) if application_id is not None: application = Application.objects.get(id=application_id) - if not request.user == application.submitter and not is_manager: - messages.error(request, _("You can not edit this motion. You are not the submitter.")) + if not 'edit' in application.get_allowed_actions(request.user): + messages.error(request, _("You can not edit this motion.")) return redirect(reverse('application_view', args=[application.id])) actions = application.get_allowed_actions(user=request.user) else: