fix: allows only owner and organizer to delete role-invites

fossasia · Jul 13, 2019 · 40d5003 · 40d5003
1 parent faf208e
commit 40d5003
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/app/api/role_invites.py b/app/api/role_invites.py
@@ -135,6 +135,11 @@ def before_update_object(self, role_invite, data, view_kwargs):
         if not has_access('is_organizer', event_id=role_invite.event_id) and (len(list(data.keys())) > 1 or
                                                                               'status' not in data):
             raise UnprocessableEntity({'source': ''}, "You can only change your status")
+        if 'deleted_at' in data and data['deleted_at']:
+            if role_invite.role_name == 'owner' and not has_access('is_owner', event_id=role_invite.event_id):
+                raise ForbiddenException({'source': ''}, 'Owner access is required.')
+            if role_invite.role_name != 'owner' and not has_access('is_organizer', event_id=role_invite.event_id):
+                raise ForbiddenException({'source': ''}, 'Organizer access is required.')
 
     decorators = (api.has_permission('is_organizer', methods="DELETE", fetch="event_id", fetch_as="event_id",
                                      model=RoleInvite),)