From 1d871c61de617d683b8ffaacb6deddcf4cb6917d Mon Sep 17 00:00:00 2001 From: Scott Baker Date: Thu, 2 Oct 2014 22:50:18 -0700 Subject: [PATCH] raise PermissionDenied if someone tries to save an object without can_update rights --- planetstack/core/models/plcorebase.py | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/planetstack/core/models/plcorebase.py b/planetstack/core/models/plcorebase.py index 8d657a7..b9692c6 100644 --- a/planetstack/core/models/plcorebase.py +++ b/planetstack/core/models/plcorebase.py @@ -5,6 +5,7 @@ from django.forms.models import model_to_dict from django.core.urlresolvers import reverse from django.forms.models import model_to_dict from django.utils import timezone +from django.core.exceptions import PermissionDenied import model_policy try: @@ -128,12 +129,14 @@ class PlCoreBase(models.Model): self.__initial = self._dict def save_by_user(self, user, *args, **kwds): - if self.can_update(user): - self.save(*args, **kwds) + if not self.can_update(user): + raise PermissionDenied("You do not have permission to update %s objects" % self.__class__.__name__) + self.save(*args, **kwds) def delete_by_user(self, user, *args, **kwds): - if self.can_update(user): - self.delete(*args, **kwds) + if not self.can_update(user): + raise PermissionDenied("You do not have permission to delete %s objects" % self.__class__.__name__) + self.delete(*args, **kwds) @property def _dict(self): -- 2.43.0