From b327dcec97221428d0793d992b074285ed48d3ed Mon Sep 17 00:00:00 2001
From: Michael Hall <mhall119@gmail.com>
Date: Mon, 22 Jan 2018 17:03:25 -0500
Subject: [PATCH] Add permission checks before editing teams or events, use
 Django messaging framework to tell the use what went wrong

---
 get_together/settings.py |  9 +++++++++
 get_together/views.py    | 16 ++++++++++++++++
 2 files changed, 25 insertions(+)

diff --git a/get_together/settings.py b/get_together/settings.py
index 64c497e..54a1a72 100644
--- a/get_together/settings.py
+++ b/get_together/settings.py
@@ -155,6 +155,15 @@ SETTINGS_EXPORT = [
     'SOCIAL_AUTH_GOOGLE_OAUTH2_KEY',
 ]
 
+# Make django messages framework use Bootstrap's alert style classes
+from django.contrib.messages import constants as messages
+MESSAGE_TAGS = {
+    messages.INFO: 'alert-info',
+    messages.SUCCESS: 'alert-success',
+    messages.WARNING: 'alert-warning',
+    messages.ERROR: 'alert-danger',
+}
+
 # Keep this at the end of settings.py to allow overriding settings in local deployments
 try:
     from local_settings import *
diff --git a/get_together/views.py b/get_together/views.py
index c8dc1e3..b4a26e0 100644
--- a/get_together/views.py
+++ b/get_together/views.py
@@ -1,3 +1,6 @@
+from django.utils.translation import ugettext_lazy as _
+
+from django.contrib import messages
 from django.shortcuts import render, redirect
 from django.http import HttpResponse, JsonResponse
 
@@ -53,6 +56,10 @@ def create_team(request, *args, **kwargs):
 
 def edit_team(request, team_id):
     team = Team.objects.get(id=team_id)
+    if not request.user.profile.can_edit_team(team):
+        messages.add_message(request, messages.WARNING, message=_('You can not make changes to this team.'))
+        return redirect('show-team', team_id=team.pk)
+
     if request.method == 'GET':
         form = TeamForm(instance=team)
 
@@ -98,6 +105,11 @@ def show_team(request, team_id, *args, **kwargs):
 
 def edit_event(request, event_id):
     event = Event.objects.get(id=event_id)
+
+    if not request.user.profile.can_edit_event(event):
+        messages.add_message(request, messages.WARNING, message=_('You can not make changes to this event.'))
+        return redirect(event.get_absolute_url())
+
     if request.method == 'GET':
         form = TeamEventForm(instance=event)
 
@@ -124,6 +136,10 @@ def edit_event(request, event_id):
 
 def create_event(request, team_id):
     team = Team.objects.get(id=team_id)
+    if not request.user.profile.can_create_event(team):
+        messages.add_message(request, messages.WARNING, message=_('You can not create events for this team.'))
+        return redirect('show-team', team_id=team.pk)
+
     if request.method == 'GET':
         form = NewTeamEventForm()