Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Make attendee info editable only by admin or that user itself #7108

Merged
merged 6 commits into from
Jul 4, 2020
Merged

fix: Make attendee info editable only by admin or that user itself #7108

merged 6 commits into from
Jul 4, 2020

Conversation

Haider8
Copy link
Contributor

@Haider8 Haider8 commented Jul 3, 2020

Fixes #7104

Short description of what this resolves:

Right now anybody can edit attendee info which is not correct.

Changes proposed in this pull request:

Only admin or that user itself should be able to edit attendee's info.

Checklist

  • I have read the Contribution & Best practices Guide and my PR follows them.
  • My branch is up-to-date with the Upstream development branch.
  • The unit tests pass locally with my changes
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)
  • All the functions created/modified in this PR contain relevant docstrings.

@auto-label auto-label bot added the fix label Jul 3, 2020
@iamareebjamal
Copy link
Member

Please add tests for the logic

iamareebjamal
iamareebjamal reviewed Jul 3, 2020
View reviewed changes
app/api/attendees.py Outdated

if not (current_user.is_staff or current_user.id == order.user_id):
raise ForbiddenError(
{'source': ''}, 'Only admin or that user itself can update attendee info',
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

{'source': ''} is useless. Provide better pointer or remove it altogether

@niranjan94
Copy link
Member

Codacy Here is an overview of what got changed by this pull request:

Complexity increasing per file
==============================
- app/api/attendees.py  2
         

Clones added
============
- tests/all/integration/api/attendee/test_attendee_api.py  11

See the complete overview on Codacy

@Haider8
Copy link
Contributor Author

Haider8 commented Jul 4, 2020

@iamareebjamal Please review

@codecov
Copy link

codecov bot commented Jul 4, 2020
edited
Loading

Codecov Report

Merging #7108 into development will increase coverage by 0.01%.
The diff coverage is 100.00%.

Impacted file tree graph

@@               Coverage Diff               @@
##           development    #7108      +/-   ##
===============================================
+ Coverage        62.51%   62.53%   +0.01%     
===============================================
  Files              262      262              
  Lines            13006    13008       +2     
===============================================
+ Hits              8131     8134       +3     
+ Misses            4875     4874       -1
Impacted Files Coverage Δ
app/api/attendees.py 51.23% <100.00%> (+0.81%) ⬆️
app/api/helpers/errors.py 100.00% <0.00%> (+2.85%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 289cd58...6eb0941. Read the comment docs.

@iamareebjamal iamareebjamal merged commit e2e038c into fossasia:development Jul 4, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@iamareebjamal iamareebjamal iamareebjamal approved these changes

Assignees
No one assigned
Labels
fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Attendee info should be editable by admin or user itself
3 participants
@Haider8 @iamareebjamal @niranjan94