Add permission for user to be able to submit the training request but…

… not modify / delete it
hotosm · Oct 15, 2024 · a9f14de · a9f14de
1 parent f10382e
commit a9f14de
Showing 1 changed file with 9 additions and 4 deletions.
diff --git a/backend/login/permissions.py b/backend/login/permissions.py
@@ -28,10 +28,15 @@ def has_object_permission(self, request, view, obj):
         # Allow modification (PUT, DELETE) if the user is staff or admin
         if request.user.is_staff or request.user.is_superuser:
             return True
-
-        if hasattr(obj, "user") and obj.user == request.user:
-            return True
-
+        ## if the object it is trying to access has user info
+        if hasattr(obj, "user"):
+            # in order to change it it needs to be in his/her name
+            if obj.user == request.user:
+                return True
+        else:
+            if request.method == "POST":
+                # if object doesn't have user in it then he has permission to access the object , considered as common object
+                return True
         return False