From d599781d502f14117790cff83785b9eaa54d57d5 Mon Sep 17 00:00:00 2001 From: j <0x006A@0x2620.org> Date: Wed, 15 Oct 2014 09:45:11 +0000 Subject: [PATCH] allow users to only edit there own groups --- pandora/item/views.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/pandora/item/views.py b/pandora/item/views.py index 5e1246418..718705eb7 100644 --- a/pandora/item/views.py +++ b/pandora/item/views.py @@ -559,6 +559,13 @@ def edit(request, data): item.user = new_user update_clips = True del data['user'] + if 'groups' in data: + if not request.user.get_profile().capability('canManageUsers'): + # Users wihtout canManageUsers can only add/remove groups they are not in + groups = set([g.name for g in item.groups.all()]) + user_groups = set([g.name for g in request.user.groups.all()]) + other_groups = list(groups - user_groups) + data['groups'] = [g for g in data['groups'] if g in user_groups] + other_groups r = item.edit(data) if r: r.wait()