Restrict updates to pizza orders to organisers of the pizza event
Previous behaviour
Every member with permissions to change pizza orders can edit all orders through the API
Steps to reproduce:
-
PUT /api/v1/pizzas/orders/[pk]when you are not the organiser of the event associated with the pizza event. - Notice it is successful if you have the
pizzas.change_orderpermission.
New behaviour
Only members that are organiser of the event associated with the pizza event can change orders.
Steps to validate that it works:
-
PUT /api/v1/pizzas/orders/[pk]when you are not the organiser of the event associated with the pizza event. - Notice it is only successful for the product of your own order if you are not the organiser of this pizza event.