Updated container permission check on delete
authorThierry Florac <tflorac@ulthar.net>
Wed, 26 May 2021 09:29:59 +0200
changeset 572 ff87356416c0
parent 571 0acc94352428
child 573 dfa0d5a58084
Updated container permission check on delete
src/pyams_skin/container.py
--- a/src/pyams_skin/container.py	Fri Nov 13 16:30:55 2020 +0100
+++ b/src/pyams_skin/container.py	Wed May 26 09:29:59 2021 +0200
@@ -11,7 +11,7 @@
 #
 
 from pyramid.exceptions import NotFound
-from pyramid.httpexceptions import HTTPInternalServerError, HTTPUnauthorized
+from pyramid.httpexceptions import HTTPForbidden, HTTPInternalServerError
 from pyramid.view import view_config
 from zope.container.interfaces import IContainer
 from zope.interface import implementer
@@ -91,11 +91,11 @@
     # Check permission
     if not ignore_permission:
         context = container[name]
-        permission = get_edit_permission(request, context)
+        permission = get_edit_permission(request, context, action='delete')
         if permission is None:
             raise HTTPInternalServerError("Missing permission definition")
-        elif not request.has_permission(permission, context):
-            raise HTTPUnauthorized()
+        if not request.has_permission(permission, context):
+            raise HTTPForbidden()
     # Delete element
     del container[name]
     return {'status': 'success'}