From 74b961fb2a03effcfe57dc430969b19c031877c5 Mon Sep 17 00:00:00 2001
From: Ernesto Rico Schmidt <ernesto@helsinki.at>
Date: Wed, 19 Jun 2024 20:33:10 -0400
Subject: [PATCH] feat: check permissions to create & update user profile

---
 program/serializers.py | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/program/serializers.py b/program/serializers.py
index 6b47108e..30d9c697 100644
--- a/program/serializers.py
+++ b/program/serializers.py
@@ -189,7 +189,15 @@ class UserSerializer(serializers.ModelSerializer):
             profile = None
 
         if profile_data:
+            user = self.context.get("request").user
+
             if profile:
+                # having the update_user_profile permission overrides being the user
+                if not (user.has_perm("update_user_profile") or user.id == instance.id):
+                    raise exceptions.PermissionDenied(
+                        detail="You do not have permission to update this user profile."
+                    )
+
                 if "cba_username" in profile_data:
                     profile.cba_username = profile_data.get("cba_username")
 
@@ -199,6 +207,12 @@ class UserSerializer(serializers.ModelSerializer):
                 profile.updated_by = self.context.get("request").user.username
                 profile.save()
             else:
+                # having the create_user_profile permission overrides being the user
+                if not (user.has_perm("create_user_profile") or user.id == instance.id):
+                    raise exceptions.PermissionDenied(
+                        detail="You do not have permission to create this user profile."
+                    )
+
                 UserProfile.objects.create(
                     created_by=self.context.get("request").user.username,
                     user=instance,
-- 
GitLab