From 0b3ea398785fe83f6ad5ae00bb041d0ff6948aee Mon Sep 17 00:00:00 2001
From: George Katsikas <giorgakis.katsikas@gmail.com>
Date: Fri, 25 Oct 2024 16:23:09 +0200
Subject: [PATCH] allow user to verify own email addresses

---
 scipost_django/profiles/views.py | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/scipost_django/profiles/views.py b/scipost_django/profiles/views.py
index fe0cb5b02..612aaaf56 100644
--- a/scipost_django/profiles/views.py
+++ b/scipost_django/profiles/views.py
@@ -580,7 +580,6 @@ def _hx_profile_email_toggle_valid(request, email_id):
     )
 
 
-@permission_required_htmx("scipost.can_verify_profile_emails")
 def _hx_profile_email_request_verification(request, email_id):
     """Toggle verified/unverified status of ProfileEmail."""
     profile_email = get_object_or_404(ProfileEmail, pk=email_id)
@@ -588,6 +587,14 @@ def _hx_profile_email_request_verification(request, email_id):
     if not request.method == "PATCH":
         raise BadRequest("Invalid request method")
 
+    is_mail_owner = request.user.contributor.profile == profile_email.profile
+    can_verify_emails = request.user.has_perm("scipost.can_verify_profile_emails")
+    if not (is_mail_owner or can_verify_emails):
+        return HTMXResponse(
+            "You do not have the required permissions to verify this email.",
+            tag="danger",
+        )
+
     if not profile_email.verified:
         profile_email.send_verification_email()
         messages.success(
-- 
GitLab