Correctly check for permissions on user owned petitions for transferr…

…ing petitions
pytition · Jun 10, 2020 · 8cb426a · 8cb426a
1 parent 24002a0
commit 8cb426a
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/pytition/petition/views.py b/pytition/petition/views.py
@@ -1623,6 +1623,9 @@ def transfer_petition(request, petition_id):
  messages.error(request, _("You don't have the permission to transfer a petition from Organization '{}'"
  .format(petition.owner)))
  return redirect("org_dashboard", petition.owner)
+ elif petition.owner_type == "user" and petition.user != pytitionuser:
+ messages.error(request, _("You don't have the permission to transfer this petition"))
+ return redirect("user_dashboard")
 
  if petition.owner_type == "org":
  ctx['base_template'] = 'petition/org_base.html'