Skip to content

Commit

Permalink
handle edge case where project admins could update permissions
Browse files Browse the repository at this point in the history
  • Loading branch information
@mgonnav
mgonnav committed Oct 23, 2024
1 parent 06ae5e2 commit 8fd3f11
Showing 1 changed file with 6 additions and 1 deletion.
7 changes: 6 additions & 1 deletion estela-api/api/views/project.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -152,12 +152,17 @@ def update(self, request, *args, **kwargs):
description = f"removed user {user_email}."
elif action == "update":
if permission == Permission.OWNER_PERMISSION:
if not is_superuser:
raise PermissionDenied(
{"permission": "You do not have permission to do this."}
)
old_owner = instance.users.filter(
permission__permission=Permission.OWNER_PERMISSION
).get()
instance.users.remove(old_owner)
instance.users.add(
old_owner, through_defaults={"permission": Permission.ADMIN_PERMISSION}
old_owner,
through_defaults={"permission": Permission.ADMIN_PERMISSION},
)
instance.users.remove(affected_user)
instance.users.add(
Expand Down

0 comments on commit 8fd3f11

Please sign in to comment.