From 83c461b9b3adf01f0d928fe7681c9f151f422beb Mon Sep 17 00:00:00 2001
From: Bjarke Madsen <bjarke@nordu.net>
Date: Thu, 7 Sep 2023 16:48:48 +0200
Subject: [PATCH] be explicit

---
 compendium_v2/routes/response.py | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/compendium_v2/routes/response.py b/compendium_v2/routes/response.py
index b8d79978..9ba078e5 100644
--- a/compendium_v2/routes/response.py
+++ b/compendium_v2/routes/response.py
@@ -91,13 +91,19 @@ def check_access_nren_read(user: User, nren: str) -> bool:
 
 def check_access_nren_write(user: User, nren: str) -> bool:
     if not check_access_nren_read(user, nren):
+        # if you can't read it, you definitely shouldn't write to it
         return False
+
     if user.is_observer:
         # observers can't edit their own nrens either!
         return False
-    # admins can edit all nrens
-    # users can edit their own nrens
-    return True
+    if user.is_admin:
+        # admins can edit all nrens
+        return True
+    if nren == user.nren:
+        # users can edit for the nren they are assigned to
+        return True
+    return False
 
 
 @routes.route('/try/<int:year>', methods=['GET'])
-- 
GitLab