From 297ff332491d538ea4d9f3e09c11770590ed115c Mon Sep 17 00:00:00 2001
From: George Katsikas <giorgakis.katsikas@gmail.com>
Date: Thu, 15 Jun 2023 11:38:54 +0200
Subject: [PATCH] fix permissions on new production page fix work log deletion
 accessible by all

---
 scipost_django/finances/views.py | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/scipost_django/finances/views.py b/scipost_django/finances/views.py
index b67b002ef..85be62e83 100644
--- a/scipost_django/finances/views.py
+++ b/scipost_django/finances/views.py
@@ -39,6 +39,7 @@ from comments.utils import validate_file_extention
 from journals.models import Journal, Publication
 from organizations.models import Organization
 from scipost.mixins import PermissionsMixin
+from scipost.views import HTMXPermissionsDenied, HTMXResponse
 
 
 def publishing_years():
@@ -554,13 +555,15 @@ class LogDeleteView(LoginRequiredMixin, DeleteView):
 @permission_required("scipost.can_view_production", raise_exception=True)
 def _hx_worklog_delete(request, slug):
     log = get_object_or_404(WorkLog, pk=slug_to_id(slug))
+
+    if request.user != log.user:
+        return HTMXPermissionsDenied(
+            "You do not have permission to delete this work log."
+        )
+
     log.delete()
 
-    return HttpResponse(
-        r"""<div class="text-danger border border-danger p-3">
-                Work log has been deleted.
-            </div>"""
-    )
+    return HTMXResponse("Work log has been deleted.", tag="danger")
 
 
 def personal_timesheet(request):
-- 
GitLab