@@ -334,9 +334,10 @@ def liaison_history(request, object_id):
334334def liaison_delete_attachment (request , object_id , attach_id ):
335335 liaison = get_object_or_404 (LiaisonStatement , pk = object_id )
336336 attach = get_object_or_404 (LiaisonStatementAttachment , pk = attach_id )
337- if not ( request . user . is_authenticated () and can_edit_liaison (request .user , liaison ) ):
337+ if not can_edit_liaison (request .user , liaison ):
338338 return HttpResponseForbidden ("You are not authorized for this action" )
339339
340+ # FIXME: this view should use POST instead of GET when deleting
340341 attach .removed = True
341342 attach .save ()
342343
@@ -352,7 +353,7 @@ def liaison_delete_attachment(request, object_id, attach_id):
352353
353354def liaison_detail (request , object_id ):
354355 liaison = get_object_or_404 (LiaisonStatement , pk = object_id )
355- can_edit = request . user . is_authenticated () and can_edit_liaison (request .user , liaison )
356+ can_edit = can_edit_liaison (request .user , liaison )
356357 can_take_care = _can_take_care (liaison , request .user )
357358 can_reply = _can_reply (liaison , request .user )
358359 person = get_person_for_user (request .user )
@@ -391,15 +392,15 @@ def liaison_detail(request, object_id):
391392
392393def liaison_edit (request , object_id ):
393394 liaison = get_object_or_404 (LiaisonStatement , pk = object_id )
394- if not ( request . user . is_authenticated () and can_edit_liaison (request .user , liaison ) ):
395+ if not can_edit_liaison (request .user , liaison ):
395396 return HttpResponseForbidden ('You do not have permission to edit this liaison statement' )
396397 return liaison_add (request , instance = liaison )
397398
398399def liaison_edit_attachment (request , object_id , doc_id ):
399400 '''Edit the Liaison Statement attachment title'''
400401 liaison = get_object_or_404 (LiaisonStatement , pk = object_id )
401402 doc = get_object_or_404 (Document , pk = doc_id )
402- if not ( request . user . is_authenticated () and can_edit_liaison (request .user , liaison ) ):
403+ if not can_edit_liaison (request .user , liaison ):
403404 return HttpResponseForbidden ("You are not authorized for this action" )
404405
405406 if request .method == 'POST' :
0 commit comments