Authorization check for edit member post route

2018-09-04 15:21:46 -04:00 · 2018-09-04 15:21:46 -04:00 · 75ea8025c1
commit 75ea8025c1
parent 1808acd5f4
1 changed files with 6 additions and 0 deletions
--- a/atst/routes/workspaces.py
+++ b/atst/routes/workspaces.py
@ -145,6 +145,12 @@ def view_member(workspace_id, member_id):
 )
 def update_member(workspace_id, member_id):
    workspace = Workspaces.get(g.current_user, workspace_id)
+    Authorization.check_workspace_permission(
+        g.current_user,
+        workspace,
+        Permissions.ASSIGN_AND_UNASSIGN_ATAT_ROLE,
+        "edit this workspace user",
+    )
    member = WorkspaceUsers.get(workspace_id, member_id)
    form = UpdateMemberForm(http_request.form)