From 5abbb842543b0bf48cf7a4d361c8f0b4522df27c Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <yohann.danello@gmail.com>
Date: Sat, 15 Aug 2020 22:24:48 +0200
Subject: [PATCH] Permissions for activities must be more specific to prevent
 that anyone can validate its own activity

---
 apps/permission/fixtures/initial.json | 166 ++++++++++++++++++++++----
 1 file changed, 146 insertions(+), 20 deletions(-)

diff --git a/apps/permission/fixtures/initial.json b/apps/permission/fixtures/initial.json
index 192b9391..4a48dd83 100644
--- a/apps/permission/fixtures/initial.json
+++ b/apps/permission/fixtures/initial.json
@@ -551,22 +551,6 @@
 			"description": "Voir toutes les activités valides"
 		}
 	},
-	{
-		"model": "permission.permission",
-		"pk": 35,
-		"fields": {
-			"model": [
-				"activity",
-				"activity"
-			],
-			"query": "[\"AND\", {\"valid\": false}, {\"creater\": [\"user\"]}]",
-			"type": "change",
-			"mask": 1,
-			"field": "",
-			"permanent": false,
-			"description": "Modifier les activités non validées dont on est l'auteur"
-		}
-	},
 	{
 		"model": "permission.permission",
 		"pk": 36,
@@ -2375,6 +2359,134 @@
 			"description": "Supprimer une facture"
 		}
 	},
+	{
+		"model": "permission.permission",
+		"pk": 152,
+		"fields": {
+			"model": [
+				"activity",
+				"activity"
+			],
+			"query": "[\"AND\", {\"valid\": false}, {\"creater\": [\"user\"]}]",
+			"type": "change",
+			"mask": 1,
+			"field": "name",
+			"permanent": false,
+			"description": "Modifier le nom d'une activité non validée dont on est l'auteur"
+		}
+	},
+	{
+		"model": "permission.permission",
+		"pk": 153,
+		"fields": {
+			"model": [
+				"activity",
+				"activity"
+			],
+			"query": "[\"AND\", {\"valid\": false}, {\"creater\": [\"user\"]}]",
+			"type": "change",
+			"mask": 1,
+			"field": "description",
+			"permanent": false,
+			"description": "Modifier la description d'une activité non validée dont on est l'auteur"
+		}
+	},
+	{
+		"model": "permission.permission",
+		"pk": 154,
+		"fields": {
+			"model": [
+				"activity",
+				"activity"
+			],
+			"query": "[\"AND\", {\"valid\": false}, {\"creater\": [\"user\"]}]",
+			"type": "change",
+			"mask": 1,
+			"field": "location",
+			"permanent": false,
+			"description": "Modifier le lieu d'une activité non validée dont on est l'auteur"
+		}
+	},
+	{
+		"model": "permission.permission",
+		"pk": 155,
+		"fields": {
+			"model": [
+				"activity",
+				"activity"
+			],
+			"query": "[\"AND\", {\"valid\": false}, {\"creater\": [\"user\"]}]",
+			"type": "change",
+			"mask": 1,
+			"field": "activity_type",
+			"permanent": false,
+			"description": "Modifier le type d'une activité non validée dont on est l'auteur"
+		}
+	},
+	{
+		"model": "permission.permission",
+		"pk": 156,
+		"fields": {
+			"model": [
+				"activity",
+				"activity"
+			],
+			"query": "[\"AND\", {\"valid\": false}, {\"creater\": [\"user\"]}]",
+			"type": "organizer",
+			"mask": 1,
+			"field": "name",
+			"permanent": false,
+			"description": "Modifier l'organisateur d'une activité non validée dont on est l'auteur"
+		}
+	},
+	{
+		"model": "permission.permission",
+		"pk": 157,
+		"fields": {
+			"model": [
+				"activity",
+				"activity"
+			],
+			"query": "[\"AND\", {\"valid\": false}, {\"creater\": [\"user\"]}]",
+			"type": "change",
+			"mask": 1,
+			"field": "attendees_club",
+			"permanent": false,
+			"description": "Modifier le club attendu d'une activité non validée dont on est l'auteur"
+		}
+	},
+	{
+		"model": "permission.permission",
+		"pk": 158,
+		"fields": {
+			"model": [
+				"activity",
+				"activity"
+			],
+			"query": "[\"AND\", {\"valid\": false}, {\"creater\": [\"user\"]}]",
+			"type": "change",
+			"mask": 1,
+			"field": "date_start",
+			"permanent": false,
+			"description": "Modifier la date de début d'une activité non validée dont on est l'auteur"
+		}
+	},
+	{
+		"model": "permission.permission",
+		"pk": 159,
+		"fields": {
+			"model": [
+				"activity",
+				"activity"
+			],
+			"query": "[\"AND\", {\"valid\": false}, {\"creater\": [\"user\"]}]",
+			"type": "change",
+			"mask": 1,
+			"field": "date_end",
+			"permanent": false,
+			"description": "Modifier la date de fin d'une activité non validée dont on est l'auteur"
+		}
+	},
 	{
 		"model": "permission.role",
 		"pk": 1,
@@ -2409,7 +2521,6 @@
 			"name": "Adh\u00e9rent Kfet",
 			"permissions": [
 				34,
-				35,
 				36,
 				6,
 				39,
@@ -2431,7 +2542,15 @@
 				101,
 				108,
 				109,
-				144
+				144,
+				152,
+				153,
+				154,
+				155,
+				156,
+				157,
+				158,
+				159
 			]
 		}
 	},
@@ -2600,7 +2719,6 @@
 				32,
 				33,
 				34,
-				35,
 				36,
 				37,
 				38,
@@ -2713,7 +2831,15 @@
 				148,
 				149,
 				150,
-				151
+				151,
+				152,
+				153,
+				154,
+				155,
+				156,
+				157,
+				158,
+				159
 			]
 		}
 	},
-- 
GitLab