From 6c70092362f6df226b152501c7db83f552f3e383 Mon Sep 17 00:00:00 2001 From: youichiro Date: Tue, 20 Jul 2021 07:33:14 +0900 Subject: [PATCH] restrict project creation to staff users --- backend/api/views/project.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/backend/api/views/project.py b/backend/api/views/project.py index 41d13e82..663171b0 100644 --- a/backend/api/views/project.py +++ b/backend/api/views/project.py @@ -3,6 +3,7 @@ from rest_framework import generics, status from rest_framework.permissions import IsAuthenticated from rest_framework.response import Response +from ..exceptions import ProjectCreationPermissionDenied from ..models import Project from ..permissions import IsInProjectReadOnlyOrAdmin from ..serializers import ProjectPolymorphicSerializer, ProjectSerializer @@ -17,7 +18,10 @@ class ProjectList(generics.ListCreateAPIView): return self.request.user.projects def perform_create(self, serializer): - serializer.save(users=[self.request.user]) + if self.request.user.is_staff: + serializer.save(users=[self.request.user]) + else: + raise ProjectCreationPermissionDenied() def delete(self, request, *args, **kwargs): delete_ids = request.data['ids']