refactor: Update EventOrganizationsViewSet delete method for permissi…

…on check
WikiMovimentoBrasil · Aug 8, 2024 · 1ccc820 · 1ccc820
1 parent a412f54
commit 1ccc820
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/events/views.py b/events/views.py
@@ -184,4 +184,14 @@ def create(self, request, *args, **kwargs):
             request._full_data = data
             return super().create(request, *args, **kwargs)
         else:
-            return Response("Only the organizer, committee or staff can create a participant", status=status.HTTP_403_FORBIDDEN)
+            return Response("Only the organizer, committee or staff can create a participant", status=status.HTTP_403_FORBIDDEN)
+
+    # Only Organizer, Commitee, Staff and managers of the organization can delete the organization participation
+    def delete(self, request, *args, **kwargs):
+        team = EventOrganizations.objects.filter(event=request.data['event'], role__in=['organizer', 'committee'])
+        if (request.user.pk in team.values_list('organization', flat=True) or
+            request.user.is_staff or
+            request.user.pk in self.get_object().organization.managers.values_list('pk', flat=True)):
+            return super().delete(request, *args, **kwargs)
+        else:
+            return Response("Only the organizer, committee, staff and managers of the organization can edit this participation", status=status.HTTP_403_FORBIDDEN)