diff --git a/backend/clubs/permissions.py b/backend/clubs/permissions.py index daf103333..664c0775c 100644 --- a/backend/clubs/permissions.py +++ b/backend/clubs/permissions.py @@ -116,6 +116,8 @@ class ClubPermission(permissions.BasePermission): Anyone should be able to view, if the club is approved. Otherwise, only members or people with permission should be able to view. + + Actions default to owners/officers only unless specified below. """ def has_object_permission(self, request, view, obj): @@ -163,7 +165,7 @@ def has_object_permission(self, request, view, obj): if membership is None: return False # user has to be an owner to delete a club, an officer to edit it - if view.action in ["destroy"]: + if view.action in {"destroy"}: return membership.role <= Membership.ROLE_OWNER else: return membership.role <= Membership.ROLE_OFFICER @@ -171,7 +173,9 @@ def has_object_permission(self, request, view, obj): def has_permission(self, request, view): if view.action in { "children", + "create", "destroy", + "history", "parents", "partial_update", "update", @@ -179,8 +183,6 @@ def has_permission(self, request, view): "upload_file", }: return request.user.is_authenticated - elif view.action in {"create"}: - return request.user.is_authenticated else: return True diff --git a/backend/clubs/views.py b/backend/clubs/views.py index 1b32cf83d..7210e7a2e 100644 --- a/backend/clubs/views.py +++ b/backend/clubs/views.py @@ -18,7 +18,6 @@ import pytz import qrcode import requests -import rest_framework from asgiref.sync import async_to_sync from channels.layers import get_channel_layer from CyberSource import ( @@ -1279,7 +1278,6 @@ def upload_file(self, request, *args, **kwargs): return file_upload_endpoint_helper(request, code=club.code) @action(detail=True, methods=["get"]) - @rest_framework.decorators.permission_classes([ClubSensitiveItemPermission]) def history(self, request, *args, **kwargs): """ Return a simplified approval history for the club.