[Fixes #2149] Raise 403 when project/update/result editing is not all…

…owed
akvo · May 23, 2016 · be2db58 · be2db58
1 parent c554be2
commit be2db58
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 2 deletions.
diff --git a/akvo/rsr/views/my_rsr.py b/akvo/rsr/views/my_rsr.py
@@ -244,7 +244,7 @@ def project_editor(request, project_id):
     except Project.DoesNotExist:
         return Http404
 
-    if not request.user.has_perm('rsr.change_project', project):
+    if not request.user.has_perm('rsr.change_project', project) or project.status == 'C':
         raise PermissionDenied
 
     # Custom fields
@@ -480,7 +480,7 @@ def my_results(request, project_id):
     project = get_object_or_404(Project, pk=project_id)
     user = request.user
 
-    if not user.has_perm('rsr.change_project', project):
+    if not user.has_perm('rsr.change_project', project) or project.status == 'C' or not project.is_published():
         raise PermissionDenied
 
     me_managers_group = Group.objects.get(name='M&E Managers')

diff --git a/akvo/rsr/views/project.py b/akvo/rsr/views/project.py
@@ -413,6 +413,10 @@ def set_update(request, project_id, edit_mode=False, form_class=ProjectUpdateFor
     updates = project.updates_desc()[:5]
     update = None
 
+    # Prevent editing if project is completed or unpublished
+    if project.status == 'C' or not project.is_published():
+        raise PermissionDenied
+
     if update_id is not None:
         edit_mode = True
         update = get_object_or_404(ProjectUpdate, id=update_id)