From 7c4c1bc38702847dd5f9cdd0191f3b64e4b12452 Mon Sep 17 00:00:00 2001
From: Sli <antoine@bartuccio.fr>
Date: Tue, 9 Aug 2022 18:11:20 +0200
Subject: [PATCH] Fix permissions on download pictures feature

---
 api/views/sas.py                        | 4 ++--
 core/templates/core/user_pictures.jinja | 4 +++-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/api/views/sas.py b/api/views/sas.py
index 277ed390..063b9eab 100644
--- a/api/views/sas.py
+++ b/api/views/sas.py
@@ -6,7 +6,7 @@ from rest_framework.renderers import JSONRenderer
 from rest_framework.request import Request
 from rest_framework.response import Response
 
-from core.views import can_edit_prop
+from core.views import can_edit
 from core.models import User
 from sas.models import Picture
 
@@ -24,7 +24,7 @@ def all_pictures_of_user(user: User) -> List[Picture]:
 @renderer_classes((JSONRenderer,))
 def all_pictures_of_user_endpoint(request: Request, user: int):
     requested_user: User = get_object_or_404(User, pk=user)
-    if not can_edit_prop(requested_user, request.user):
+    if not can_edit(requested_user, request.user):
         raise PermissionDenied
 
     return Response(
diff --git a/core/templates/core/user_pictures.jinja b/core/templates/core/user_pictures.jinja
index d2ee9844..2d4e26a0 100644
--- a/core/templates/core/user_pictures.jinja
+++ b/core/templates/core/user_pictures.jinja
@@ -5,7 +5,9 @@
 {% endblock %}
 
 {% block content %}
-    <button id="download_all_pictures", onclick=download_pictures()>{% trans %}Download all my pictures{% endtrans %}</button>
+    {% if can_edit(profile, user) %}
+        <button id="download_all_pictures", onclick=download_pictures()>{% trans %}Download all my pictures{% endtrans %}</button>
+    {% endif %}
 {% for a in albums %}
     <div style="padding: 10px">
         <h4>{{ a.name }}</h4>