zydronium/manage.get.gov
1
0
Fork 0
mirror of https://github.com/cisagov/manage.get.gov.git synced 2025-08-05 01:11:55 +02:00
Code Issues Projects Releases Packages Wiki Activity

Configure permissions correctly

Browse source
This commit is contained in:
zandercymatics 2024-10-03 11:39:43 -06:00
parent 1f2793bfc1
commit b08c7e1478
No known key found for this signature in database
GPG key ID: FF4636ABEC9682B7
2 changed files with 19 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/registrar/config/urls.py
View file

@ -175,7 +175,7 @@ urlpatterns = [
name="export_data_type_user",
),
path(
"domain-request/<id>/edit/",
"domain-request/<int:id>/edit/",
views.DomainRequestWizard.as_view(),
name=views.DomainRequestWizard.EDIT_URL_NAME,
),

18
src/registrar/views/utility/mixins.py
View file

@ -384,10 +384,28 @@ class DomainRequestWizardPermission(PermissionsLoginMixin):
The user is in self.request.user
"""
if not self.request.user.is_authenticated:
return False
# The user has an ineligible flag
if self.request.user.is_restricted():
return False
# user needs to be the creator of the domain request to edit it.
id = self.kwargs.get("id") if hasattr(self, "kwargs") else None
if not id:
domain_request_wizard = self.request.session.get("wizard_domain_request")
if domain_request_wizard:
id = domain_request_wizard.get("domain_request_id")
if not DomainRequest.objects.filter(creator=self.request.user, id=id).exists():
return False
if self.request.user.is_org_user(self.request):
portfolio = self.request.session.get("portfolio")
if not self.request.user.has_edit_request_portfolio_permission(portfolio):
return False
return True