Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • concrexit concrexit
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 70
    • Issues 70
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 10
    • Merge requests 10
  • Deployments
    • Deployments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • Repository
  • Activity
  • Graph
  • Create a new issue
  • Commits
  • Issue Boards
Collapse sidebar
  • thaliathalia
  • concrexitconcrexit
  • Merge requests
  • !1164

Restrict updates to pizza orders to organisers of the pizza event

  • Review changes

  • Download
  • Email patches
  • Plain diff
Merged Gijs Hendriksen requested to merge fix/restrict-pizza-order-updates-to-organisers into master Feb 13, 2019
  • Overview 6
  • Commits 4
  • Changes 4

Previous behaviour

Every member with permissions to change pizza orders can edit all orders through the API

Steps to reproduce:

  1. PUT /api/v1/pizzas/orders/[pk] when you are not the organiser of the event associated with the pizza event.
  2. Notice it is successful if you have the pizzas.change_order permission.

New behaviour

Only members that are organiser of the event associated with the pizza event can change orders.

Steps to validate that it works:

  1. PUT /api/v1/pizzas/orders/[pk] when you are not the organiser of the event associated with the pizza event.
  2. Notice it is only successful for the product of your own order if you are not the organiser of this pizza event.
Assignee
Assign to
Reviewers
Request review from
Time tracking
Source branch: fix/restrict-pizza-order-updates-to-organisers