From: Scott Baker <smbaker@gmail.com>
Date: Fri, 3 Oct 2014 05:50:18 +0000 (-0700)
Subject: raise PermissionDenied if someone tries to save an object without can_update rights
X-Git-Url: http://git.onelab.eu/?p=plstackapi.git;a=commitdiff_plain;h=1d871c61de617d683b8ffaacb6deddcf4cb6917d

raise PermissionDenied if someone tries to save an object without can_update rights
---

diff --git a/planetstack/core/models/plcorebase.py b/planetstack/core/models/plcorebase.py
index 8d657a7..b9692c6 100644
--- a/planetstack/core/models/plcorebase.py
+++ b/planetstack/core/models/plcorebase.py
@@ -5,6 +5,7 @@ from django.forms.models import model_to_dict
 from django.core.urlresolvers import reverse
 from django.forms.models import model_to_dict
 from django.utils import timezone
+from django.core.exceptions import PermissionDenied
 import model_policy
 
 try:
@@ -128,12 +129,14 @@ class PlCoreBase(models.Model):
         self.__initial = self._dict
 
     def save_by_user(self, user, *args, **kwds):
-        if self.can_update(user):
-            self.save(*args, **kwds)
+        if not self.can_update(user):
+            raise PermissionDenied("You do not have permission to update %s objects" % self.__class__.__name__)
+        self.save(*args, **kwds)
 
     def delete_by_user(self, user, *args, **kwds):
-        if self.can_update(user):
-            self.delete(*args, **kwds)
+        if not self.can_update(user):
+            raise PermissionDenied("You do not have permission to delete %s objects" % self.__class__.__name__)
+        self.delete(*args, **kwds)
 
     @property
     def _dict(self):