Enforce ticket access on labels via email

2019-07-08 13:10:18 -04:00 · 2019-07-08 13:10:18 -04:00 · ebc57e1c43
parent 102998365b
commit ebc57e1c43
1 changed files with 4 additions and 0 deletions
--- a/4
+++ b/4
@ -138,6 +138,10 @@ class MailHandler:
                if len(labels) != len(cmd) - 1:
                    return ("550 The label you requested does not exist on " +
                        "this tracker.")
+                if not TicketAccess.triage in access:
+                    print(f"Rejected, {sender.canonical_name} has insufficient " +
+                        f"permissions (have {access}, want triage)")
+                    return "550 You do not have permission to triage on this tracker."
                for label in labels:
                    ticket_label = (TicketLabel.query
                            .filter(TicketLabel.label_id == label.id)