From be2db584799173cc0e6146e009e4b2df3508c8db Mon Sep 17 00:00:00 2001 From: Damien Allen Date: Mon, 23 May 2016 11:23:41 +0200 Subject: [PATCH] [Fixes #2149] Raise 403 when project/update/result editing is not allowed --- akvo/rsr/views/my_rsr.py | 4 ++-- akvo/rsr/views/project.py | 4 ++++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/akvo/rsr/views/my_rsr.py b/akvo/rsr/views/my_rsr.py index 38c329531c..faae281fb7 100644 --- a/akvo/rsr/views/my_rsr.py +++ b/akvo/rsr/views/my_rsr.py @@ -244,7 +244,7 @@ def project_editor(request, project_id): except Project.DoesNotExist: return Http404 - if not request.user.has_perm('rsr.change_project', project): + if not request.user.has_perm('rsr.change_project', project) or project.status == 'C': raise PermissionDenied # Custom fields @@ -480,7 +480,7 @@ def my_results(request, project_id): project = get_object_or_404(Project, pk=project_id) user = request.user - if not user.has_perm('rsr.change_project', project): + if not user.has_perm('rsr.change_project', project) or project.status == 'C' or not project.is_published(): raise PermissionDenied me_managers_group = Group.objects.get(name='M&E Managers') diff --git a/akvo/rsr/views/project.py b/akvo/rsr/views/project.py index bf18092ded..1b94957060 100644 --- a/akvo/rsr/views/project.py +++ b/akvo/rsr/views/project.py @@ -413,6 +413,10 @@ def set_update(request, project_id, edit_mode=False, form_class=ProjectUpdateFor updates = project.updates_desc()[:5] update = None + # Prevent editing if project is completed or unpublished + if project.status == 'C' or not project.is_published(): + raise PermissionDenied + if update_id is not None: edit_mode = True update = get_object_or_404(ProjectUpdate, id=update_id)