Previous behaviour
Every member with permissions to change pizza orders can edit all orders through the API
Steps to reproduce:
-
PUT /api/v1/pizzas/orders/[pk]
when you are not the organiser of the event associated with the pizza event. - Notice it is successful if you have the
pizzas.change_order
permission.
New behaviour
Only members that are organiser of the event associated with the pizza event can change orders.
Steps to validate that it works:
-
PUT /api/v1/pizzas/orders/[pk]
when you are not the organiser of the event associated with the pizza event. - Notice it is only successful for the product of your own order if you are not the organiser of this pizza event.