Delete perms: must be staff and in group

2019-07-22 15:46:32 -04:00 · 2019-07-22 15:46:32 -04:00 · d1b1fe1433
commit d1b1fe1433
parent 21e0c6d656
1 changed files with 1 additions and 1 deletions
--- a/todo/views/del_list.py
+++ b/todo/views/del_list.py
@ -17,7 +17,7 @@ def del_list(request, list_id: int, list_slug: str) -> HttpResponse:

    # Ensure user has permission to delete list. Get the group this list belongs to,
    # and check whether current user is a member of that group AND a staffer.
-    if task_list.group not in request.user.groups.all() and not request.user.is_staff:
+    if not (task_list.group in request.user.groups.all() and request.user.is_staff):
        raise PermissionDenied

    if request.method == "POST":