Fix permissions

6e7aed10 · Tom Teichler · 47badb01 · 6e7aed10 · 6e7aed10
Verified Commit 6e7aed10 authored 4 years ago by Tom Teichler
--- a/aleksis/core/rules.py
+++ b/aleksis/core/rules.py
@@ -196,22 +196,30 @@ change_group_preferences = has_person & (
 add_perm("core.change_group_preferences", change_group_preferences)

 # Edit additional field
-edit_additional_field_predicate = has_person & (
-    has_global_perm("core.change_additional_field")
-    | has_object_perm("core.change_additional_field")
+change_additionalfield_predicate = has_person & (
+    has_global_perm("core.change_additionalfield")
+    | has_object_perm("core.change_additionalfield")
 )
-add_perm("core.edit_additional_field", edit_additional_field_predicate)
+add_perm("core.change_additionalfield", change_additionalfield_predicate)
+
+# Edit additional field
+create_additionalfield_predicate = has_person & (
+    has_global_perm("core.create_additionalfield")
+    | has_object_perm("core.create_additionalfield")
+)
+add_perm("core.create_additionalfield", create_additionalfield_predicate)
+

 # Delete additional field
-delete_additional_field_predicate = has_person & (
-    has_global_perm("core.delete_additional_field")
-    | has_object_perm("core.delete_additional_field")
+delete_additionalfield_predicate = has_person & (
+    has_global_perm("core.delete_additionalfield")
+    | has_object_perm("core.delete_additionalfield")
 )
-add_perm("core.delete_additional_field", delete_additional_field_predicate)
+add_perm("core.delete_additionalfield", delete_additionalfield_predicate)

 # View additional fields
-view_additional_field_predicate = has_person & (
+view_additionalfield_predicate = has_person & (
    has_global_perm("core.view_additionalfield")
    | has_any_object("core.view_additionalfield", AdditionalField)
 )
-add_perm("core.view_additionalfield", view_additional_field_predicate)
+add_perm("core.view_additionalfield", view_additionalfield_predicate)
--- a/aleksis/core/views.py
+++ b/aleksis/core/views.py
@@ -448,7 +448,7 @@ def preferences(


 @permission_required(
-    "core.edit_additional_field", fn=objectgetter_optional(AdditionalField, None, False)
+    "core.change_additionalfield", fn=objectgetter_optional(AdditionalField, None, False)
 )
 def edit_additional_field(request: HttpRequest, id_: Optional[int] = None) -> HttpResponse:
    """View to edit or create a additional_field."""
@@ -463,8 +463,11 @@ def edit_additional_field(request: HttpRequest, id_: Optional[int] = None) -> Ht
            request.POST or None, instance=additional_field
        )
    else:
-        # Empty form to create a new additional_field
-        edit_additional_field_form = EditAdditionalFieldForm(request.POST or None)
+        if request.user.has_perm("core.create_additionalfield"):
+            # Empty form to create a new additional_field
+            edit_additional_field_form = EditAdditionalFieldForm(request.POST or None)
+        else:
+            raise PermissionDenied()

    if request.method == "POST":
        if edit_additional_field_form.is_valid():
@@ -498,7 +501,7 @@ def additional_fields(request: HttpRequest) -> HttpResponse:


 @permission_required(
-    "core.delete_additional_field", fn=objectgetter_optional(AdditionalField, None, False)
+    "core.delete_additionalfield", fn=objectgetter_optional(AdditionalField, None, False)
 )
 def delete_additional_field(request: HttpRequest, id_: int) -> HttpResponse:
    """View to delete an additional_field."""