From f9f510c309e93f8b13540fbcb3a6f0d30ee20a4b Mon Sep 17 00:00:00 2001 From: Josue Kouka Date: Tue, 1 Dec 2015 12:53:07 +0100 Subject: [PATCH 1/1] roles-api-add_remove-members-#8234 --- src/authentic2/api_views.py | 12 +++++------- tests/test_api.py | 2 +- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/src/authentic2/api_views.py b/src/authentic2/api_views.py index bb0a69e..4d51c26 100644 --- a/src/authentic2/api_views.py +++ b/src/authentic2/api_views.py @@ -334,17 +334,15 @@ class RolesAPI(APIView): def initial(self, request, *args, **kwargs): super(RolesAPI, self).initial(request, *args, **kwargs) - perm = 'a2_rbac.change_role' - authorized = request.user.has_perm(perm, obj=self.role) - if not authorized: - raise PermissionDenied(u'User not allowed to change role') - - def dispatch(self, request, *args, **kwargs): Role = get_role_model() User = get_user_model() self.role = get_object_or_404(Role, uuid=kwargs['role_uuid']) self.member = get_object_or_404(User, uuid=kwargs['member_uuid']) - return super(RolesAPI, self).dispatch(request, *args, **kwargs) + + perm = 'a2_rbac.change_role' + authorized = request.user.has_perm(perm, obj=self.role) + if not authorized: + raise PermissionDenied(u'User not allowed to change role') def post(self, request, *args, **kwargs): self.role.members.add(self.member) diff --git a/tests/test_api.py b/tests/test_api.py index 76c4ea8..200058a 100644 --- a/tests/test_api.py +++ b/tests/test_api.py @@ -77,7 +77,7 @@ def test_api_role_add_member(app, user, role, member): 'role_member': member.uuid } - authorized = user.is_superuser or user.has_perm('a2_rbac.change_role', role) + authorized = user.has_perm('a2_rbac.change_role', role) if member.username == 'fake' or role.name == 'fake': status = 404 -- 2.6.2