Disallow API access for non-Fairphone-staff users
Do not give permissions for users that are not in the Fairphone
staff group.
Issue: HIC-250
Change-Id: I400eade07396d24e6168ae12561a643a403b8491
diff --git a/crashreports/permissions.py b/crashreports/permissions.py
index 4ee567d..331c3a2 100644
--- a/crashreports/permissions.py
+++ b/crashreports/permissions.py
@@ -36,8 +36,7 @@
"""Determine whether a user is part of the Hiccup staff.
Returns true if either the user is part of the group
- "FairphoneSoftwareTeam", or he/she has all permissions for manipulating
- crashreports, heartbeats and logfiles.
+ "FairphoneSoftwareTeam".
Args:
user: The user making the request.
@@ -45,24 +44,7 @@
Returns: True if user is part of the Hiccup staff.
"""
- if user.groups.filter(name=FP_STAFF_GROUP_NAME).exists():
- return True
- return user.has_perms(
- [
- # Crashreports
- "crashreports.add_crashreport",
- "crashreports.change_crashreport",
- "crashreports.del_crashreport",
- # Heartbeats
- "heartbeat.add_crashreport",
- "heartbeat.change_crashreport",
- "heartbeat.del_crashreport",
- # Logfiles
- "heartbeat.add_logfile",
- "heartbeat.change_logfile",
- "heartbeat.del_logfile",
- ]
- )
+ return user.groups.filter(name=FP_STAFF_GROUP_NAME).exists()
class HasStatsAccess(BasePermission):