bug fixing - bugs detected by manually poking around on the site

need additional testing suite to systematically go through all permissions need additional permissions check at Model level - models.py
2020-01-17 14:33:56 +01:00
parent c186895e7a
commit 1c9bdc24b5
6 changed files with 19 additions and 18 deletions
--- a/rowers/views/statements.py
+++ b/rowers/views/statements.py
@@ -429,7 +429,7 @@ def getrequestplanrower(request,rowerid=0,userid=0,notpermanent=False):
    except Rower.DoesNotExist:
        raise Http404("Rower doesn't exist")

-    if not can_plan_user(request.user,r ):
+    if r.user != request.user and not can_plan_user(request.user,r ):
        request.session['rowerid'] = r.id
        raise PermissionDenied("You have no access to this user")