Merge pull request #348 from mdzik/mdzik-project-notification-permiss…

…ions Check permissions on notification updates
ubccr · Jan 11, 2022 · 001913d · 001913d
2 parents e0ead55 + 1f4b3f6
commit 001913d
Showing 1 changed file with 33 additions and 11 deletions.
diff --git a/coldfront/core/project/views.py b/coldfront/core/project/views.py
@@ -4,6 +4,7 @@
 from django.conf import settings
 from django.contrib import messages
 from django.contrib.auth.mixins import LoginRequiredMixin, UserPassesTestMixin
+from django.contrib.auth.decorators import user_passes_test, login_required
 from django.contrib.auth.models import User
 from coldfront.core.utils.common import import_from_settings
 from django.contrib.messages.views import SuccessMessageMixin
@@ -870,25 +871,46 @@ def post(self, request, *args, **kwargs):
                 return HttpResponseRedirect(reverse('project-user-detail', kwargs={'pk': project_obj.pk, 'project_user_pk': project_user_obj.pk}))
 
 
+@login_required
 def project_update_email_notification(request):
 
     if request.method == "POST":
         data = request.POST
         project_user_obj = get_object_or_404(
             ProjectUser, pk=data.get('user_project_id'))
-        checked = data.get('checked')
-        if checked == 'true':
-            project_user_obj.enable_notifications = True
-            project_user_obj.save()
-            return HttpResponse('', status=200)
-        elif checked == 'false':
-            project_user_obj.enable_notifications = False
-            project_user_obj.save()
-            return HttpResponse('', status=200)
+
+
+        project_obj = project_user_obj.project
+
+        allowed = False
+        if project_obj.pi == request.user:
+            allowed = True
+
+        if project_obj.projectuser_set.filter(user=request.user, role__name='Manager', status__name='Active').exists():
+            allowed = True
+
+        if project_user_obj.user == request.user:
+            allowed = True
+
+        if request.user.is_superuser:
+            allowed = True
+
+        if allowed == False:
+             return HttpResponse('not allowed', status=403)
         else:
-            return HttpResponse('', status=400)
+            checked = data.get('checked')
+            if checked == 'true':
+                project_user_obj.enable_notifications = True
+                project_user_obj.save()
+                return HttpResponse('checked', status=200)
+            elif checked == 'false':
+                project_user_obj.enable_notifications = False
+                project_user_obj.save()
+                return HttpResponse('unchecked', status=200)
+            else:
+                return HttpResponse('no checked', status=400)
     else:
-        return HttpResponse('', status=400)
+        return HttpResponse('no POST', status=400)
 
 
 class ProjectReviewView(LoginRequiredMixin, UserPassesTestMixin, TemplateView):