fix: checks on session and role-invite api

Author: shreyanshdwivedi

app/api/admin_statistics_api/users.py

@@ -30,6 +30,7 @@ class Meta:
     admin = fields.Method("admin_count")
     verified = fields.Method("verified_count")
     unverified = fields.Method("unverified_count")
+    owner = fields.Method("owner_count")
     organizer = fields.Method("organizer_count")
     coorganizer = fields.Method("coorganizer_count")
     attendee = fields.Method("attendee_count")
@@ -53,6 +54,9 @@ def get_all_user_roles(self, role_name):
             UsersEventsRoles.role == role).distinct()
         return newquery
 
+    def owner_count(self, obj):
+        return self.get_all_user_roles('owner').count()
+
     def organizer_count(self, obj):
         return self.get_all_user_roles('organizer').count()
 

app/api/role_invites.py

@@ -112,8 +112,10 @@ def before_update_object(self, role_invite, data, view_kwargs):
         """
         user = User.query.filter_by(email=role_invite.email).first()
         if user:
-            if not has_access('is_user_itself', user_id=user.id):
-                raise UnprocessableEntity({'source': ''}, "Only users can edit their own status")
+            if not has_access('is_organizer', event_id=role_invite.event_id) and not has_access('is_user_itself',
+                                                                                                user_id=user.id):
+                raise UnprocessableEntity({'source': ''},
+                                          "Status can be updated only by event organizer or user hiself")
         if not user and not has_access('is_organizer', event_id=role_invite.event_id):
             raise UnprocessableEntity({'source': ''}, "User not registered")
         if not has_access('is_organizer', event_id=role_invite.event_id) and (len(list(data.keys())) > 1 or

app/api/sessions.py

@@ -141,7 +141,7 @@ def before_update_object(self, session, data, view_kwargs):
         :return:
         """
         if data.get('is_locked') != session.is_locked:
-            if not (has_access('is_admin') or has_access('is_organizer')):
+            if not (has_access('is_admin') or has_access('is_organizer', event_id=session.event_id)):
                 raise ForbiddenException({'source': '/data/attributes/is-locked'},
                                          "You don't have enough permissions to change this property")