Skip to content

Add region check before creating an event

Alex requested to merge 489-event-permission into master

Part of #489

What does this MR do?

Adds a permission check: users are only allowed to create events in a region in which they are a member. The frontend already prevents this, but the backend doesn't check. Theoretically you could still create events in every region by changing the http request.

How confident are you it won't break things if deployed?

very sure

Links to related issues

How to test

Not really testable because you can only select regions in the frontend if you are a member.

Screenshots (if applicable)

Checklist

  • added a test, or explain why one is not needed/possible...
  • no unrelated changes
  • asked someone for a code review
  • set a "for:" label to indicate who will be affected by this change
  • added to the next milestone (see https://gitlab.com/foodsharing-dev/foodsharing/-/milestones, unless it has a "for:Dev" label)
  • added an entry to CHANGELOG.md
  • added a short text in the release notes to /release-notes/YYYY-MM.md
  • Once your MR has been merged, you are responsible to create a testing issue in the Beta Testing forum: https://foodsharing.de/region?bid=734&sub=forum. Please change the MRs label to "state:Beta testing".
    • Consider writing a detailed description in German.
    • Describe in a few sentences, what should be tested from a user perspective.
    • Also mention different settings (e.g. different browsers, roles, ...) how this change can be tested.
    • Be aware, that also non technical people should understand.

Closes #489

Merge request reports

Loading