diff --git a/CHANGELOG.rst b/CHANGELOG.rst index f0967266f8457a53a7c1b2ce399c9c4f7365ad4a..7630596161c422190318d4edea74facb4f3f2e48 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -61,6 +61,7 @@ Fixed * [Dev] Allow activating more frequent polling for Celery task progress. * [OIDC] Custom additional claims were not present in userinfo * Synchronisation of AlekSIS and Django groups caused permissions issues +* Permission checks for dashboard widget creation and person invitations were invalid Removed ~~~~~~~ diff --git a/aleksis/core/rules.py b/aleksis/core/rules.py index 2c7a6adff8e9e7b680c71ea2a91a67dbbff39160..20e108bb09aa3481a78354145169b3331c763f33 100644 --- a/aleksis/core/rules.py +++ b/aleksis/core/rules.py @@ -421,7 +421,7 @@ create_personal_event_predicate = has_person rules.add_perm("core.create_personal_event_rule", create_personal_event_predicate) create_personal_event_with_invitations_predicate = has_person & has_global_perm( - "core.create_personalevent" + "core.add_personalevent" ) rules.add_perm( "core.create_personal_event_with_invitations_rule", diff --git a/aleksis/core/schema/person.py b/aleksis/core/schema/person.py index 3e2af57c2ea06317135e82d00aa0c149e0ecfa60..b501eba425dc36814cfc23826cb1781befcbab6a 100644 --- a/aleksis/core/schema/person.py +++ b/aleksis/core/schema/person.py @@ -241,7 +241,7 @@ class PersonType(PermissionsTypeMixin, DjangoFilterMixin, DjangoObjectType): return root.user and info.context.user.has_perm("core.impersonate_rule", root) def resolve_can_invite_person(root, info, **kwargs): # noqa - return (not root.user) and info.context.user.has_perm("core.can_invite_rule", root) + return (not root.user) and info.context.user.has_perm("core.invite_rule", root) class PersonMutation(DjangoModelFormMutation): diff --git a/aleksis/core/views.py b/aleksis/core/views.py index 635e4d85405c376c8183632ad7aba95443a930eb..6c63e88620d6b8a45f92b49212b2751bd5f3870f 100644 --- a/aleksis/core/views.py +++ b/aleksis/core/views.py @@ -785,7 +785,7 @@ class DashboardWidgetCreateView(PermissionRequiredMixin, AdvancedCreateView): return super().post(request, *args, **kwargs) fields = "__all__" - permission_required = "core.add_dashboardwidget_rule" + permission_required = "core.create_dashboardwidget_rule" template_name = "core/dashboard_widget/create.html" success_url = reverse_lazy("dashboard_widgets") success_message = _("The dashboard widget has been created.")