From 14862b4db7ea38dbf564caf355a06572e8040732 Mon Sep 17 00:00:00 2001 From: Oscar Carballal Prego Date: Fri, 15 Feb 2013 13:00:49 +0100 Subject: [PATCH] Fixed double permission validation in debate creation --- src/apps/ecidadania/debate/views.py | 66 ++++++++++++++++++------------------- 1 file changed, 32 insertions(+), 34 deletions(-) diff --git a/src/apps/ecidadania/debate/views.py b/src/apps/ecidadania/debate/views.py index 719fe275..f750bd53 100755 --- a/src/apps/ecidadania/debate/views.py +++ b/src/apps/ecidadania/debate/views.py @@ -86,40 +86,38 @@ def add_new_debate(request, space_url): except ObjectDoesNotExist: current_debate_id = 1 - if request.user.has_perm('debate.debate_add') \ - or has_all_permissions(request.user): - if request.method == 'POST': - if debate_form.is_valid() and row_formset.is_valid() \ - and column_formset.is_valid(): - debate_form_uncommited = debate_form.save(commit=False) - debate_form_uncommited.space = place - debate_form_uncommited.author = request.user - - saved_debate = debate_form_uncommited.save() - debate_instance = get_object_or_404(Debate, - pk=current_debate_id) - - row = row_formset.save(commit=False) - for form in row: - form.debate = debate_instance - form.save() - - column = column_formset.save(commit=False) - for form in column: - form.debate = debate_instance - form.save() - - return HttpResponseRedirect(reverse(urln.DEBATE_VIEW, - kwargs={'space_url': space_url, - 'debate_id': str(debate_form_uncommited.id)})) - - return render_to_response('debate/debate_add.html', - {'form': debate_form, - 'rowform': row_formset, - 'colform': column_formset, - 'get_place': place, - 'debateid': current_debate_id}, - context_instance=RequestContext(request)) + if request.method == 'POST': + if debate_form.is_valid() and row_formset.is_valid() \ + and column_formset.is_valid(): + debate_form_uncommited = debate_form.save(commit=False) + debate_form_uncommited.space = place + debate_form_uncommited.author = request.user + + saved_debate = debate_form_uncommited.save() + debate_instance = get_object_or_404(Debate, + pk=current_debate_id) + + row = row_formset.save(commit=False) + for form in row: + form.debate = debate_instance + form.save() + + column = column_formset.save(commit=False) + for form in column: + form.debate = debate_instance + form.save() + + return HttpResponseRedirect(reverse(urln.DEBATE_VIEW, + kwargs={'space_url': space_url, + 'debate_id': str(debate_form_uncommited.id)})) + + return render_to_response('debate/debate_add.html', + {'form': debate_form, + 'rowform': row_formset, + 'colform': column_formset, + 'get_place': place, + 'debateid': current_debate_id}, + context_instance=RequestContext(request)) return render_to_response('not_allowed.html', context_instance=RequestContext(request)) -- 2.11.4.GIT