From bceb35dfcfcb8c3c0a6aa69edb1c254b69a8176b Mon Sep 17 00:00:00 2001
From: Ernesto Rico Schmidt <ernesto@helsinki.at>
Date: Wed, 20 Mar 2024 20:08:24 -0400
Subject: [PATCH] fix: check for add_note & change_note permissions

---
 program/serializers.py | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/program/serializers.py b/program/serializers.py
index f4cd9b2c..fb41a215 100644
--- a/program/serializers.py
+++ b/program/serializers.py
@@ -988,7 +988,10 @@ class NoteSerializer(serializers.ModelSerializer):
         user_is_owner = user in show.owners.all()
 
         # Having the create_note permission overrides the ownership
-        if not (user.has_perm("program.create_note") or user_is_owner):
+        if not (
+            user.has_perm("program.create_note")
+            or (user.has_perm("program.add_note") and user_is_owner)
+        ):
             raise exceptions.PermissionDenied(detail="You are not allowed to create this note.")
 
         # we derive `contributors`, `language` and `topic` from the Show's values if not set
@@ -1023,7 +1026,10 @@ class NoteSerializer(serializers.ModelSerializer):
         user_is_owner = user in instance.timeslot.schedule.show.owners.all()
 
         # Having the update_note permission overrides the ownership
-        if not (user.has_perm("program.update_note") or user_is_owner):
+        if not (
+            user.has_perm("program.update_note")
+            or (user.has_perm("program.change_note") and user_is_owner)
+        ):
             raise exceptions.PermissionDenied(detail="You are not allowed to update this note.")
 
         if "cba_id" in validated_data:
-- 
GitLab