Closed mitchdowney closed 11 years ago
fixed
office.py
# CREATE OFFICE
class OfficeCreateView(CreateView):
model = Office
form_class = OfficeForm
template_name = 'office_create.html'
def form_valid(self, form):
if not form.instance.constituency.moderators.get(id = self.request.user.id).pk == self.request.user.id:
raise Http404 # maybe you'll need to write a middleware to catch 403's same way
f = form.save(commit=False)
f.save()
return super(OfficeCreateView, self).form_valid(form)
Currently anyone can edit the office page of any constituency.
Currently anyone can access the OfficeCreateView and create an office for that constituency.