From 542a8c82e9361e2e7a99429c1ba4d1df1a3821f3 Mon Sep 17 00:00:00 2001
From: Michael Hall <mhall119@gmail.com>
Date: Sun, 21 Jan 2018 12:23:13 -0500
Subject: [PATCH] Add permission checking before showing edit buttons

---
 events/models/profiles.py                     | 23 +++++++++++++++++++
 .../templates/get_together/show_event.html    |  2 +-
 .../templates/get_together/show_team.html     |  2 ++
 get_together/views.py                         |  2 ++
 4 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/events/models/profiles.py b/events/models/profiles.py
index 1ce38a5..68d4be4 100644
--- a/events/models/profiles.py
+++ b/events/models/profiles.py
@@ -47,6 +47,8 @@ class UserProfile(models.Model):
         return local.astimezone(pytz.utc)
 
     def can_create_event(self, team):
+        if self.user.is_superuser:
+            return True
         if not self.user_id:
             return False
         if self.user.is_superuser:
@@ -59,6 +61,27 @@ class UserProfile(models.Model):
             return True
         return False
 
+    def can_edit_event(self, event):
+        if self.user.is_superuser:
+            return True
+        if event.created_by == self:
+            return True
+        if event.team.owner_profile == self:
+            return True
+        if self in event.team.admin_profiles.all():
+            return True
+        return False
+
+    def can_edit_team(self, team):
+        print("Checking team edit permission for: %s" % team)
+        if self.user.is_superuser:
+            return True
+        if team.owner_profile == self:
+            return True
+        if self in team.admin_profiles.all():
+            return True
+        return False
+
 def get_user_timezone(username):
     # TODO: find a smarter way to get timezone
     return 'UTC'
diff --git a/get_together/templates/get_together/show_event.html b/get_together/templates/get_together/show_event.html
index 3567b71..bf4c7d4 100644
--- a/get_together/templates/get_together/show_event.html
+++ b/get_together/templates/get_together/show_event.html
@@ -6,7 +6,7 @@
 <h4>Hosted by <a href="{% url "show-team" team.id %}">{{ team.name }}</a></h4>
 {% include "events/event_details.html" %}
 
-{% if request.user.profile == event.created_by %}
+{% if can_edit_event %}
 <form action="{% url 'edit-event' event.id %}" method="get">
 <button type="submit" class="btn btn-secondary">Edit Event</button>
 </form>
diff --git a/get_together/templates/get_together/show_team.html b/get_together/templates/get_together/show_team.html
index 85e87d4..35a8261 100644
--- a/get_together/templates/get_together/show_team.html
+++ b/get_together/templates/get_together/show_team.html
@@ -10,7 +10,9 @@
 <form action="{% url 'create-event' team.id %}" method="get">
 <button type="submit" class="btn btn-primary">Plan a Get Together</button>
 </form>
+{% endif %}
 
+{% if can_edit_team %}
 <form action="{% url 'edit-team' team.id %}" method="get">
 <button type="submit" class="btn btn-secondary">Edit Team</button>
 </form>
diff --git a/get_together/views.py b/get_together/views.py
index c15a79c..c8dc1e3 100644
--- a/get_together/views.py
+++ b/get_together/views.py
@@ -92,6 +92,7 @@ def show_team(request, team_id, *args, **kwargs):
         'team': team,
         'events_list': team_events,
         'can_create_event': request.user.profile.can_create_event(team),
+        'can_edit_team': request.user.profile.can_edit_team(team),
     }
     return render(request, 'get_together/show_team.html', context)
 
@@ -180,5 +181,6 @@ def show_event(request, event_id, event_slug):
     context = {
         'team': event.team,
         'event': event,
+        'can_edit_event': request.user.profile.can_edit_event(event),
     }
     return render(request, 'get_together/show_event.html', context)