fix(access): Ensure Object permission are checked when an object is having an action performed against it.

ref: #442 #454
2024-12-26 14:11:05 +09:30
parent 4be1e97cbe
commit 534186a7f9
2 changed files with 12 additions and 1 deletions
--- a/app/access/mixins/organization.py
+++ b/app/access/mixins/organization.py
@ -19,7 +19,6 @@ class OrganizationMixin:

        Args:
            obj (Model): Model of object
-            obj (dict): Request data of the object being created

        Raises:
            ValueError: When `obj` and `request` are both missing
--- a/app/access/mixins/permissions.py
+++ b/app/access/mixins/permissions.py
@ -116,10 +116,18 @@ class OrganizationPermissionMixin(

                view_action = 'change'

+                obj_organization: Organization = view.get_obj_organization(
+                    obj = view.get_object()
+                )
+
            elif view.action == 'destroy':

                view_action = 'delete'

+                obj_organization: Organization = view.get_obj_organization(
+                    obj = view.get_object()
+                )
+
            elif (
                view.action == 'list'
            ):
@ -130,6 +138,10 @@ class OrganizationPermissionMixin(

                view_action = 'view'

+                obj_organization: Organization = view.get_obj_organization(
+                    obj = view.get_object()
+                )
+
            elif view.action == 'metadata':

                return True