From 55adf573f1cb101c8f08b2ed51fabaf2aadf6d67 Mon Sep 17 00:00:00 2001 From: Ashley Date: Thu, 31 Oct 2024 02:39:49 +0000 Subject: [PATCH 1/3] Update: removed internal permission for approval surrender --- mooringlicensing/components/approvals/api.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mooringlicensing/components/approvals/api.py b/mooringlicensing/components/approvals/api.py index f4cd9071f..57e295310 100755 --- a/mooringlicensing/components/approvals/api.py +++ b/mooringlicensing/components/approvals/api.py @@ -698,7 +698,7 @@ def approval_reinstate(self, request, *args, **kwargs): else: raise serializers.ValidationError("User not authorised to reinstate approval") - @detail_route(methods=['POST',], detail=True, permission_classes=[InternalApprovalPermission]) + @detail_route(methods=['POST',], detail=True) @basic_exception_handler def approval_surrender(self, request, *args, **kwargs): instance = self.get_object() From 4f4b49d931fdf013b697834a5f845a074f292261 Mon Sep 17 00:00:00 2001 From: Ashley Date: Thu, 31 Oct 2024 02:59:05 +0000 Subject: [PATCH 2/3] Update: auth check to ensure only approved assessors and applicants can surrender approvals --- mooringlicensing/components/approvals/models.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/mooringlicensing/components/approvals/models.py b/mooringlicensing/components/approvals/models.py index 56495ff19..79ee4e1a6 100755 --- a/mooringlicensing/components/approvals/models.py +++ b/mooringlicensing/components/approvals/models.py @@ -924,6 +924,10 @@ def approval_surrender(self,request,details): 'surrender_date' : details.get('surrender_date').strftime('%d/%m/%Y'), 'details': details.get('surrender_details'), } + + if not (self.applicant_obj == request.user or not request.user in self.allowed_assessors): + raise ValidationError("User not authorised to surrender approval") + today = timezone.now().date() surrender_date = datetime.datetime.strptime(self.surrender_details['surrender_date'],'%d/%m/%Y') surrender_date = surrender_date.date() From 3115caa8222a921bd185c19151cfd494e108b67b Mon Sep 17 00:00:00 2001 From: Ashley Date: Thu, 31 Oct 2024 03:06:04 +0000 Subject: [PATCH 3/3] Update: correct auth check for surrender --- mooringlicensing/components/approvals/models.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mooringlicensing/components/approvals/models.py b/mooringlicensing/components/approvals/models.py index 79ee4e1a6..7f4cd680e 100755 --- a/mooringlicensing/components/approvals/models.py +++ b/mooringlicensing/components/approvals/models.py @@ -925,7 +925,7 @@ def approval_surrender(self,request,details): 'details': details.get('surrender_details'), } - if not (self.applicant_obj == request.user or not request.user in self.allowed_assessors): + if not (self.applicant_obj == request.user or request.user in self.allowed_assessors): raise ValidationError("User not authorised to surrender approval") today = timezone.now().date()