Only allow creating a new team for an organization if the user can edit the organization

get_together/templates/get_together/orgs/show_org.html

@@ -91,11 +91,13 @@
                     </div>
                 </div>
                 {% endfor %}
+                {% if can_edit_org %}
                 <div class="row mb-3">
                     <div class="col">
                       <center><a class="btn btn-success btn-sm" href="{% url 'create-team' %}?organization={{org.id}}">Add Team</a></center>
                     </div>
                 </div>
+                {% endif %}
             </div>
         </div>
     </div>

get_together/views/new_team.py

@@ -22,7 +22,9 @@ def start_new_team(request):
     new_team.owner_profile = request.user.profile
     if request.method == 'GET':
         if 'organization' in request.GET and request.GET['organization'] != '':
-            new_team.organization = Organization.objects.get(id=request.GET['organization'])
+            org = Organization.objects.get(id=request.GET['organization'])
+            if request.user.profile.can_edit_org(org):
+                new_team.organization = org
         form = NewTeamForm(instance=new_team)
         g = location.get_geoip(request)
         if g.latlng is not None and g.latlng[0] is not None and g.latlng[1] is not None:
@@ -37,7 +39,9 @@ def start_new_team(request):
         return render(request, 'get_together/new_team/start_new_team.html', context)
     elif request.method == 'POST':
         if 'organization' in request.POST and request.POST['organization'] != '':
-            new_team.organization = Organization.objects.get(id=request.POST['organization'])
+            org = Organization.objects.get(id=request.POST['organization'])
+            if request.user.profile.can_edit_org(org):
+                new_team.organization = org
         form = NewTeamForm(request.POST, request.FILES, instance=new_team)
         if form.is_valid():
             new_team = form.save()