feat: check for permissions before updating a timeslot

25178e84 · Ernesto Rico Schmidt · 212faf0c · 25178e84
Verified Commit 25178e84 authored 5 months ago by Ernesto Rico Schmidt
--- a/program/serializers.py
+++ b/program/serializers.py
@@ -998,6 +998,18 @@ class TimeSlotSerializer(serializers.ModelSerializer):
    def update(self, instance, validated_data):
        """Update and return an existing Show instance, given the validated data."""

+        user = self.context.get("request").user
+        user_is_owner = user in instance.schedule.show.owners.all()
+
+        # Having the update_timeslot permission overrides the ownership
+        if not (
+            user.has_perm("program.update_timeslot")
+            or (user.has_perm("program.change_timeslot") and user_is_owner)
+        ):
+            raise exceptions.PermissionDenied(
+                detail="You are not allowed to update this timeslot."
+            )
+
        if "memo" in validated_data:
            instance.memo = validated_data.get("memo")