From d599781d502f14117790cff83785b9eaa54d57d5 Mon Sep 17 00:00:00 2001
From: j <0x006A@0x2620.org>
Date: Wed, 15 Oct 2014 09:45:11 +0000
Subject: [PATCH] allow users to only edit there own groups

---
 pandora/item/views.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/pandora/item/views.py b/pandora/item/views.py
index 5e1246418..718705eb7 100644
--- a/pandora/item/views.py
+++ b/pandora/item/views.py
@@ -559,6 +559,13 @@ def edit(request, data):
                     item.user = new_user
                     update_clips = True
             del data['user']
+        if 'groups' in data:
+            if not request.user.get_profile().capability('canManageUsers'):
+                # Users wihtout canManageUsers can only add/remove groups they are not in
+                groups = set([g.name for g in item.groups.all()])
+                user_groups = set([g.name for g in request.user.groups.all()])
+                other_groups = list(groups - user_groups)
+                data['groups'] = [g for g in data['groups'] if g in user_groups] + other_groups
         r = item.edit(data)
         if r:
             r.wait()