rattail/tailbone
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Don't let user delete roles to which they belong, without permission

Browse source
This commit is contained in:
Lance Edgar 2020-03-15 11:59:23 -05:00
parent edd48ef667
commit 964671fcbf
1 changed files with 6 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
tailbone/views/roles.py
View file

@ -100,6 +100,12 @@ class RolesView(PrincipalMasterView):
return False return False
if role is guest_role(self.Session()): if role is guest_role(self.Session()):
return False return False
# current user can delete their own roles, only if they have permission
user = self.request.user
if user and role in user.roles:
return self.has_perm('edit_my')
return True return True
def unique_name(self, node, value): def unique_name(self, node, value):