From b38f83ff44407b8b37a90e7b82487a121bab0eed Mon Sep 17 00:00:00 2001
From: George Katsikas <giorgakis.katsikas@gmail.com>
Date: Fri, 10 Nov 2023 14:15:32 +0100
Subject: [PATCH] add permission checks to pub resource manager

---
 scipost_django/journals/views.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/scipost_django/journals/views.py b/scipost_django/journals/views.py
index 119b3ab0d..6db8c7a5d 100644
--- a/scipost_django/journals/views.py
+++ b/scipost_django/journals/views.py
@@ -688,6 +688,7 @@ def draft_accompanying_publication(request, doi_label):
     return render(request, "journals/draft_accompanying_publication.html", context)
 
 
+@permission_required("scipost.can_draft_publication", raise_exception=True)
 def manage_publication_resources(request, doi_label):
     publication = get_object_or_404(Publication, doi_label=doi_label)
     context = {
@@ -698,6 +699,11 @@ def manage_publication_resources(request, doi_label):
     )
 
 
+@method_decorator(login_required, name="dispatch")
+@method_decorator(
+    permission_required("scipost.can_draft_publication", raise_exception=True),
+    name="dispatch",
+)
 class HTMXInlinePublicationResourceListView(HTMXInlineCRUDModelListView):
     model = PublicationResource
     model_form_view_url = "journals:_hx_publication_resource"
-- 
GitLab