fix(settings): grant the user access to their own settings object

ref: #485 #486
2025-01-24 15:17:07 +09:30
parent a1207bfb0f
commit b8cac94f9a
1 changed files with 9 additions and 0 deletions
--- a/app/access/mixins/permissions.py
+++ b/app/access/mixins/permissions.py
@ -272,11 +272,20 @@ class OrganizationPermissionMixin(

        try:

+
            if request.user.is_anonymous:

                return False


+            if (
+                view.model.__name__ == 'UserSettings'
+                and request._user.id == int(view.kwargs.get('pk', 0))
+            ):
+
+                return True
+
+
            object_organization: int = getattr(view.get_obj_organization( obj = obj ), 'id', None)

            if object_organization: