commit 1037bb5637ab617ca1f20c2fe7e025b85705f2cd
author Mitja Nikolaus <mitja@fairphone.com> Mon Nov 05 10:22:22 2018 +0100
committer Mitja Nikolaus <mitja@fairphone.com> Thu Dec 06 14:34:09 2018 +0000
tree a8dafe6bcd91b03431d7f178d922314df0e95afb
parent a901798e36226e9f73a93b6942e7aa3107c80c65

Disallow API access for non-Fairphone-staff users

Do not give permissions for users that are not in the Fairphone
staff group.

Issue: HIC-250
Change-Id: I400eade07396d24e6168ae12561a643a403b8491

crashreports/permissions.py

diff --git a/crashreports/permissions.py b/crashreports/permissions.py
index 4ee567d..331c3a2 100644
--- a/crashreports/permissions.py
+++ b/crashreports/permissions.py
@@ -36,8 +36,7 @@
     """Determine whether a user is part of the Hiccup staff.
 
     Returns true if either the user is part of the group
-    "FairphoneSoftwareTeam", or he/she has all permissions for manipulating
-    crashreports, heartbeats and logfiles.
+    "FairphoneSoftwareTeam".
 
     Args:
         user: The user making the request.
@@ -45,24 +44,7 @@
     Returns: True if user is part of the Hiccup staff.
 
     """
-    if user.groups.filter(name=FP_STAFF_GROUP_NAME).exists():
-        return True
-    return user.has_perms(
-        [
-            # Crashreports
-            "crashreports.add_crashreport",
-            "crashreports.change_crashreport",
-            "crashreports.del_crashreport",
-            # Heartbeats
-            "heartbeat.add_crashreport",
-            "heartbeat.change_crashreport",
-            "heartbeat.del_crashreport",
-            # Logfiles
-            "heartbeat.add_logfile",
-            "heartbeat.change_logfile",
-            "heartbeat.del_logfile",
-        ]
-    )
+    return user.groups.filter(name=FP_STAFF_GROUP_NAME).exists()
 
 
 class HasStatsAccess(BasePermission):