diff --git a/compendium_v2/routes/response.py b/compendium_v2/routes/response.py index b8d799781308f9523e41e5b46f0f9fc4904ac7b0..9ba078e5db8c00cf4a7bf7fc0588508b7fc603e3 100644 --- a/compendium_v2/routes/response.py +++ b/compendium_v2/routes/response.py @@ -91,13 +91,19 @@ def check_access_nren_read(user: User, nren: str) -> bool: def check_access_nren_write(user: User, nren: str) -> bool: if not check_access_nren_read(user, nren): + # if you can't read it, you definitely shouldn't write to it return False + if user.is_observer: # observers can't edit their own nrens either! return False - # admins can edit all nrens - # users can edit their own nrens - return True + if user.is_admin: + # admins can edit all nrens + return True + if nren == user.nren: + # users can edit for the nren they are assigned to + return True + return False @routes.route('/try/<int:year>', methods=['GET'])