don't allow non-manager to add and remove group members

2021-09-25 20:25:30 +10:00 · 2021-09-25 20:25:30 +10:00 · ec0720514e
commit ec0720514e
parent 035fc5209d
2 changed files with 6 additions and 5 deletions
--- a/bookwyrm/templates/snippets/add_to_group_button.html
+++ b/bookwyrm/templates/snippets/add_to_group_button.html
@ -1,5 +1,5 @@
 {% load i18n %}
-{% if request.user == user or not request.user.is_authenticated %}
+{% if request.user == user or not request.user == group.manager or not request.user.is_authenticated %}
 <!-- TODO: blocking is irrelevant here, but ...is it? -->
 {% elif user in request.user.blocks.all %}
 {% include 'snippets/block_button.html' with blocks=True %}
--- a/bookwyrm/views/group.py
+++ b/bookwyrm/views/group.py
@ -47,7 +47,7 @@ class UserGroups(View):

        data = {
            "user": user,
-            "is_self": request.user.id == user.id,
+            "is_self": request.user.id == user.id, # CHECK is this relevant here?
            "groups": paginated.get_page(request.GET.get("page")),
            "group_form": forms.GroupForm(),
            "path": user.local_path + "/group",
@ -82,9 +82,12 @@ class FindUsers(View):
                request.user
            )

+        group = get_object_or_404(models.Group, id=group_id)
+
        data["suggested_users"] = user_results
-        data["group"] = get_object_or_404(models.Group, id=group_id)
+        data["group"] = group
        data["query"] = query
+        data["requestor_is_manager"] = request.user == group.manager
        return TemplateResponse(request, "groups/find_users.html", data)

@login_required
@ -129,7 +132,6 @@ def add_member(request):
        print("no integrity")
        pass

-    # TODO: how do we return and update AJAX data?
    return redirect(user.local_path)

@require_POST
@ -158,5 +160,4 @@ def remove_member(request):
        print("no integrity")
        pass

-    # TODO: how do we return and update AJAX data?
    return redirect(user.local_path)