fix: checks on session and role-invite api

shreyanshdwivedi · shreyanshdwivedi · commit c3295d1f7e7c · 2019-07-01T16:17:07.000+05:30
diff --git a/app/api/role_invites.py b/app/api/role_invites.py
@@ -112,7 +112,7 @@ def before_update_object(self, role_invite, data, view_kwargs):
         """
         user = User.query.filter_by(email=role_invite.email).first()
         if user:
-            if not has_access('is_user_itself', user_id=user.id):
+            if not has_access('is_organizer', event_id=role_invite.event_id) and not has_access('is_user_itself', user_id=user.id):
                 raise UnprocessableEntity({'source': ''}, "Only users can edit their own status")
         if not user and not has_access('is_organizer', event_id=role_invite.event_id):
             raise UnprocessableEntity({'source': ''}, "User not registered")
diff --git a/app/api/sessions.py b/app/api/sessions.py
@@ -141,7 +141,7 @@ def before_update_object(self, session, data, view_kwargs):
         :return:
         """
         if data.get('is_locked') != session.is_locked:
-            if not (has_access('is_admin') or has_access('is_organizer')):
+            if not (has_access('is_admin') or has_access('is_organizer', event_id=session.event_id)):
                 raise ForbiddenException({'source': '/data/attributes/is-locked'},
                                          "You don't have enough permissions to change this property")
 
