From 93738fa76214221d2974645c1f943962a8a2ef39 Mon Sep 17 00:00:00 2001
From: Gijs Hendriksen <gijs@hendrxx.nl>
Date: Mon, 25 Sep 2017 14:15:04 +0200
Subject: [PATCH] Fix issue where the API allows orders to be cancelled when it
 shouldn't.

There was a bug in the API where a user could cancel an order, even though it had been paid for or the event had ended.
---
 website/pizzas/api/viewsets.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/website/pizzas/api/viewsets.py b/website/pizzas/api/viewsets.py
index 889a2bab..9a934ab2 100644
--- a/website/pizzas/api/viewsets.py
+++ b/website/pizzas/api/viewsets.py
@@ -43,7 +43,7 @@ class OrderViewset(ModelViewSet):
         event = PizzaEvent.current()
         if self.request.user.has_perm('pizzas.change_order'):
             return Order.objects.filter(pizza_event=event)
-        if self.action == 'update':
+        if self.action == 'update' or self.action == 'destroy':
             if not event or event.has_ended:
                 return Order.objects.none()
 
-- 
GitLab