From 0ea8ca9920279d0294487312056bb5e86c160fed Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Laura=20Kl=C3=BCnder?= <laura@codingcatgirl.de>
Date: Thu, 29 Jun 2017 17:15:11 +0200
Subject: [PATCH] changeset permissions

---
 src/c3nav/editor/models/changedobject.py |  2 +-
 src/c3nav/editor/models/changeset.py     | 14 +++++++++++---
 src/c3nav/editor/views/changes.py        |  8 ++------
 3 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/src/c3nav/editor/models/changedobject.py b/src/c3nav/editor/models/changedobject.py
index 35b9b53c..37429c8d 100644
--- a/src/c3nav/editor/models/changedobject.py
+++ b/src/c3nav/editor/models/changedobject.py
@@ -263,7 +263,7 @@ class ChangedObject(models.Model):
                 (not self.is_created and self.deleted))
 
     def save(self, *args, standalone=False, **kwargs):
-        if self.changeset.proposed is not None or self.changeset.applied is not None:
+        if not self.changeset.editable:
             raise TypeError('can not add change object to uneditable changeset.')
         self.m2m_added = {name: tuple(values) for name, values in self._m2m_added_cache.items()}
         self.m2m_removed = {name: tuple(values) for name, values in self._m2m_removed_cache.items()}
diff --git a/src/c3nav/editor/models/changeset.py b/src/c3nav/editor/models/changeset.py
index f621ff2b..b451bd99 100644
--- a/src/c3nav/editor/models/changeset.py
+++ b/src/c3nav/editor/models/changeset.py
@@ -187,9 +187,6 @@ class ChangeSet(models.Model):
 
         return objects
 
-    """
-    Lookup changes and created objects
-    """
     def get_changed_values(self, model: models.Model, name: str) -> tuple:
         """
         Get all changes values for a specific field on existing models
@@ -247,6 +244,17 @@ class ChangeSet(models.Model):
             model = model._obj
         return set(self.created_objects.get(model, {}).keys())
 
+    """
+    Permissions
+    """
+    @property
+    def editable(self):
+        return self.applied is None
+
+    def can_edit(self, request):
+        return (self.editable and self.session_id == request.session.session_key and
+                (self.proposed is None or self.assigned_to_id is request.user.pk))
+
     """
     Methods for display
     """
diff --git a/src/c3nav/editor/views/changes.py b/src/c3nav/editor/views/changes.py
index cc0bc228..75bf5a9c 100644
--- a/src/c3nav/editor/views/changes.py
+++ b/src/c3nav/editor/views/changes.py
@@ -18,11 +18,10 @@ from c3nav.mapdata.models.locations import LocationRedirect, LocationSlug
 
 @sidebar_view
 def changeset_detail(request, pk):
-    can_edit = True
     changeset = request.changeset
     if str(pk) != str(request.changeset.pk):
-        can_edit = False
         changeset = get_object_or_404(ChangeSet.qs_for_request(request), pk=pk)
+    can_edit = changeset.can_edit(request)
 
     if request.method == 'POST' and can_edit:
         restore = request.POST.get('restore')
@@ -228,14 +227,11 @@ def changeset_detail(request, pk):
 
 @sidebar_view
 def changeset_edit(request, pk):
-    can_edit = True
     changeset = request.changeset
-
     if str(pk) != str(request.changeset.pk):
-        can_edit = False
         changeset = get_object_or_404(ChangeSet.qs_for_request(request), pk=pk)
 
-    if not can_edit:
+    if not changeset.can_edit(request):
         raise PermissionDenied
 
     if request.method == 'POST':