From c52f51162aec377b9435ba0500cc9144eddca736 Mon Sep 17 00:00:00 2001 From: Michael DeHaan Date: Thu, 4 Apr 2013 15:50:56 -0400 Subject: [PATCH] Work on team credentials. --- lib/main/tests/projects.py | 6 +++--- lib/main/views.py | 9 +++++---- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/lib/main/tests/projects.py b/lib/main/tests/projects.py index 93094a2981..d8bb6893fc 100644 --- a/lib/main/tests/projects.py +++ b/lib/main/tests/projects.py @@ -322,9 +322,9 @@ class ProjectsTest(BaseTest): # can list credentials on a team self.get(team_creds, expect=401) self.get(team_creds, expect=401, auth=self.get_invalid_credentials()) - self.get(team_creds, expect=201, auth=self.get_super_credentials()) - self.get(team_creds, expect=201, auth=self.get_normal_credentials()) - self.get(team_creds, expect=201, auth=self.get_other_credentials()) + self.get(team_creds, expect=200, auth=self.get_super_credentials()) + self.get(team_creds, expect=200, auth=self.get_normal_credentials()) + self.get(team_creds, expect=403, auth=self.get_other_credentials()) self.get(team_creds, expect=403, auth=self.get_nobody_credentials()) # can edit a credential diff --git a/lib/main/views.py b/lib/main/views.py index 056d43a22e..1623455cc2 100644 --- a/lib/main/views.py +++ b/lib/main/views.py @@ -226,12 +226,13 @@ class TeamsCredentialsList(BaseSubList): def _get_queryset(self): team = Team.objects.get(pk=self.kwargs['pk']) - if not Team.can_user_read(self.request.user, team): - raise PermissionDenied() + if not Team.can_user_administrate(self.request.user, team): + if not (self.request.user.is_superuser or self.request.user in team.users.all()): + raise PermissionDenied() project_credentials = Credential.objects.filter( - projects__team__users__in = [ user ] + team = team ) - return user.credentials.distinct() | project_credentials.distinct() + return project_credentials.distinct() class ProjectsList(BaseList):