From 25178e8452506ebb41361746d0fb9c1c9c85d308 Mon Sep 17 00:00:00 2001
From: Ernesto Rico Schmidt <ernesto@helsinki.at>
Date: Tue, 8 Oct 2024 17:56:58 -0400
Subject: [PATCH] feat: check for permissions before updating a timeslot

---
 program/serializers.py | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/program/serializers.py b/program/serializers.py
index 8cc8124e..2490abbd 100644
--- a/program/serializers.py
+++ b/program/serializers.py
@@ -998,6 +998,18 @@ class TimeSlotSerializer(serializers.ModelSerializer):
     def update(self, instance, validated_data):
         """Update and return an existing Show instance, given the validated data."""
 
+        user = self.context.get("request").user
+        user_is_owner = user in instance.schedule.show.owners.all()
+
+        # Having the update_timeslot permission overrides the ownership
+        if not (
+            user.has_perm("program.update_timeslot")
+            or (user.has_perm("program.change_timeslot") and user_is_owner)
+        ):
+            raise exceptions.PermissionDenied(
+                detail="You are not allowed to update this timeslot."
+            )
+
         if "memo" in validated_data:
             instance.memo = validated_data.get("memo")
 
-- 
GitLab