From ec0720514e9e458f9c933eed63a19744c064f160 Mon Sep 17 00:00:00 2001
From: Hugh Rundle <hugh@hughrundle.net>
Date: Sat, 25 Sep 2021 20:25:30 +1000
Subject: [PATCH] don't allow non-manager to add and remove group members

---
 bookwyrm/templates/snippets/add_to_group_button.html | 2 +-
 bookwyrm/views/group.py                              | 9 +++++----
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/bookwyrm/templates/snippets/add_to_group_button.html b/bookwyrm/templates/snippets/add_to_group_button.html
index aea0532f..f533af6e 100644
--- a/bookwyrm/templates/snippets/add_to_group_button.html
+++ b/bookwyrm/templates/snippets/add_to_group_button.html
@@ -1,5 +1,5 @@
 {% load i18n %}
-{% if request.user == user or not request.user.is_authenticated %}
+{% if request.user == user or not request.user == group.manager or not request.user.is_authenticated %}
 <!-- TODO: blocking is irrelevant here, but ...is it? -->
 {% elif user in request.user.blocks.all %}
 {% include 'snippets/block_button.html' with blocks=True %}
diff --git a/bookwyrm/views/group.py b/bookwyrm/views/group.py
index addf9e47..4214908a 100644
--- a/bookwyrm/views/group.py
+++ b/bookwyrm/views/group.py
@@ -47,7 +47,7 @@ class UserGroups(View):
 
         data = {
             "user": user,
-            "is_self": request.user.id == user.id,
+            "is_self": request.user.id == user.id, # CHECK is this relevant here?
             "groups": paginated.get_page(request.GET.get("page")),
             "group_form": forms.GroupForm(),
             "path": user.local_path + "/group",
@@ -82,9 +82,12 @@ class FindUsers(View):
                 request.user
             )
 
+        group = get_object_or_404(models.Group, id=group_id)
+
         data["suggested_users"] = user_results
-        data["group"] = get_object_or_404(models.Group, id=group_id)
+        data["group"] = group
         data["query"] = query
+        data["requestor_is_manager"] = request.user == group.manager
         return TemplateResponse(request, "groups/find_users.html", data)
 
 @login_required
@@ -129,7 +132,6 @@ def add_member(request):
         print("no integrity")
         pass
 
-    # TODO: how do we return and update AJAX data?
     return redirect(user.local_path)
 
 @require_POST
@@ -158,5 +160,4 @@ def remove_member(request):
         print("no integrity")
         pass
 
-    # TODO: how do we return and update AJAX data?
     return redirect(user.local_path)
\ No newline at end of file