separate group check and staff check

2019-07-23 11:01:36 -04:00 · 2019-07-23 11:01:36 -04:00 · f1c2c4c89f
commit f1c2c4c89f
parent d1b1fe1433
1 changed files with 3 additions and 1 deletions
--- a/todo/views/del_list.py
+++ b/todo/views/del_list.py
@ -17,7 +17,9 @@ def del_list(request, list_id: int, list_slug: str) -> HttpResponse:

    # Ensure user has permission to delete list. Get the group this list belongs to,
    # and check whether current user is a member of that group AND a staffer.
-    if not (task_list.group in request.user.groups.all() and request.user.is_staff):
+    if task_list.group not in request.user.groups.all():
+        raise PermissionDenied    
+    if not request.user.is_staff:
        raise PermissionDenied

    if request.method == "POST":