From b0b989a8c5aa3029bc66038936380e2ea8c18f40 Mon Sep 17 00:00:00 2001
From: George Katsikas <giorgakis.katsikas@gmail.com>
Date: Mon, 10 Jun 2024 14:26:47 +0200
Subject: [PATCH] fix users unable to add own profile emails

---
 scipost_django/profiles/views.py | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/scipost_django/profiles/views.py b/scipost_django/profiles/views.py
index fa98992eb..27f8d4583 100644
--- a/scipost_django/profiles/views.py
+++ b/scipost_django/profiles/views.py
@@ -429,12 +429,20 @@ def _hx_profile_specialties(request, profile_id):
     return render(request, "profiles/_hx_profile_specialties.html", context)
 
 
-@permission_required_htmx("scipost.can_add_profile_emails")
 def _hx_add_profile_email(request, profile_id):
     """
     Add an email address to a Profile.
     """
     profile = get_object_or_404(Profile, pk=profile_id)
+
+    is_self_profile = request.user.contributor.profile == profile
+    can_add_any_emails = request.user.has_perm("scipost.can_add_profile_emails")
+    if not (is_self_profile or can_add_any_emails):
+        return HTMXResponse(
+            "You do not have the required permissions to add an email to this profile.",
+            tag="danger",
+        )
+
     form = AddProfileEmailForm(
         request.POST or None,
         profile=profile,
-- 
GitLab