Restrict updates to pizza orders to organisers of the pizza event (!1164) · Merge requests · thalia / concrexit · GitLab

Merged Gijs Hendriksen requested to merge fix/restrict-pizza-order-updates-to-organisers into master Feb 13, 2019

Previous behaviour

Every member with permissions to change pizza orders can edit all orders through the API

Steps to reproduce:

PUT /api/v1/pizzas/orders/[pk] when you are not the organiser of the event associated with the pizza event.
Notice it is successful if you have the pizzas.change_order permission.

New behaviour

Only members that are organiser of the event associated with the pizza event can change orders.

Steps to validate that it works:

PUT /api/v1/pizzas/orders/[pk] when you are not the organiser of the event associated with the pizza event.
Notice it is only successful for the product of your own order if you are not the organiser of this pizza event.