From f1c2c4c89f0553167f1cfe67ed66c6e8859c3651 Mon Sep 17 00:00:00 2001 From: james1293 Date: Tue, 23 Jul 2019 11:01:36 -0400 Subject: [PATCH] separate group check and staff check --- todo/views/del_list.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/todo/views/del_list.py b/todo/views/del_list.py index ee82c7b..b423ddf 100644 --- a/todo/views/del_list.py +++ b/todo/views/del_list.py @@ -17,7 +17,9 @@ def del_list(request, list_id: int, list_slug: str) -> HttpResponse: # Ensure user has permission to delete list. Get the group this list belongs to, # and check whether current user is a member of that group AND a staffer. - if not (task_list.group in request.user.groups.all() and request.user.is_staff): + if task_list.group not in request.user.groups.all(): + raise PermissionDenied + if not request.user.is_staff: raise PermissionDenied if request.method == "POST":