From 7e26e01a258c89a5638cac32d8f069092d456347 Mon Sep 17 00:00:00 2001
From: George Katsikas <giorgakis.katsikas@gmail.com>
Date: Wed, 26 Feb 2025 15:52:22 +0100
Subject: [PATCH] =?UTF-8?q?fix:=20=F0=9F=9B=82=20fix=20wrong=20add=20notes?=
 =?UTF-8?q?=20permission=20check?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 scipost_django/pins/views.py | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/scipost_django/pins/views.py b/scipost_django/pins/views.py
index 2a99a4eb7..4ffe62171 100644
--- a/scipost_django/pins/views.py
+++ b/scipost_django/pins/views.py
@@ -6,12 +6,13 @@ from django.db.models import Q
 from django.shortcuts import HttpResponse
 from django.template.response import TemplateResponse
 
-from scipost.permissions import HTMXResponse
+from scipost.permissions import HTMXResponse, permission_required_htmx
 
 from .models import Note
 from .forms import NoteForm
 
 
+@permission_required_htmx("scipost.can_add_notes")
 def _hx_note_create_form(request, regarding_content_type, regarding_object_id):
     regarding_content_type = ContentType.objects.get_for_id(regarding_content_type)
     form = NoteForm(
@@ -45,9 +46,7 @@ def _hx_note_delete(request, pk):
         note.delete()
         return HttpResponse()
     else:
-        response = HTMXResponse(
-            "You are not the author of this note.", tag="danger"
-        )
+        response = HTMXResponse("You are not the author of this note.", tag="danger")
 
     response["HX-Trigger"] = "notes-updated"
     return response
@@ -62,7 +61,7 @@ def _hx_notes_list(request, regarding_content_type, regarding_object_id):
     )
 
     # Handle permission checks for viewing and creating notes
-    can_create_notes = request.user.has_perm("pins.can_add_notes")
+    can_create_notes = request.user.has_perm("scipost.can_add_notes")
 
     # Filter according to the visibility of the notes
     notes = notes.visible_to(request.user, object.__class__)
-- 
GitLab