Correctly check for permissions on user owned petitions for signature…

… related views
pytition · Jun 10, 2020 · 24002a0 · 24002a0
1 parent ab2499a
commit 24002a0
Showing 1 changed file with 7 additions and 6 deletions.
diff --git a/pytition/petition/views.py b/pytition/petition/views.py
@@ -197,8 +197,9 @@ def get_csv_signature(request, petition_id, only_confirmed):
     except Petition.DoesNotExist:
         return JsonResponse({}, status=404)
 
-    if petition.owner_type == "org":
-        if not petition.org.is_allowed_to(user, "can_view_signatures"):
+    if petition.owner_type == "org" and not petition.org.is_allowed_to(user, "can_view_signatures"):
+            return JsonResponse({}, status=403)
+    elif petition.owner_type == "user" and petition.owner != user:
             return JsonResponse({}, status=403)
 
     filename = '{}.csv'.format(petition)
@@ -1310,6 +1311,9 @@ def show_signatures(request, petition_id):
 
     if petition.owner_type == "user":
         base_template = 'petition/user_base.html'
+        if petition.user != pytitionuser:
+            messages.error(request, _("You are not allowed to view this petition's signatures."))
+            return redirect("user_dashboard")
     else:
         org = petition.org
         base_template = 'petition/org_base.html'
@@ -1345,10 +1349,7 @@ def show_signatures(request, petition_id):
                         else:
                             failed = True
                     else: # Petition is owned by a user, we check it's the one asking for deletion
-                        if pet.user == pytitionuser:
-                            s.delete()
-                        else:
-                            failed = True
+                        s.delete()
                 if failed:
                     messages.error(request, _("You don't have permission to delete some or all of selected signatures"))
                 else: