Merge pull request #1700 from wwitzel3/issue-1429

Fixing CredentialList post access check
This commit is contained in:
Wayne Witzel III
2016-04-27 09:10:26 -04:00

View File

@@ -1240,7 +1240,7 @@ class CredentialList(ListCreateAPIView):
organization = Organization.objects.get(pk=request.data['organization']) organization = Organization.objects.get(pk=request.data['organization'])
obj = organization obj = organization
if self.request.user not in obj.admin_role: if not self.request.user.can_access(type(obj), 'change', obj, request.data):
raise PermissionDenied() raise PermissionDenied()
ret = super(CredentialList, self).post(request, *args, **kwargs) ret = super(CredentialList, self).post(request, *args, **kwargs)