From b151e1fcf3238bb3a9dff8ac2c070459da1b8db9 Mon Sep 17 00:00:00 2001
From: FreneticScribbler <aj@aronajones.com>
Date: Thu, 18 May 2023 13:34:32 +0100
Subject: [PATCH] Checkin only requires login (no perms) and block users from
 editing other checkins at Django level

---
 RIGS/urls.py     | 8 ++++----
 RIGS/views/hs.py | 6 ++++++
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/RIGS/urls.py b/RIGS/urls.py
index a755b0a2..9a5a1f7c 100644
--- a/RIGS/urls.py
+++ b/RIGS/urls.py
@@ -101,13 +101,13 @@ urlpatterns = [
     path('event/power/<int:pk>/review/', permission_required_with_403('RIGS.review_power')(views.MarkReviewed.as_view()),
          name='pt_review', kwargs={'model': 'PowerTestRecord'}),
 
-    path('event/<int:pk>/checkin/', permission_required_with_403('RIGS.add_eventcheckin')(views.EventCheckIn.as_view()),
+    path('event/<int:pk>/checkin/', login_required(views.EventCheckIn.as_view()),
          name='event_checkin'),
-    path('event/checkout/', permission_required_with_403('RIGS.change_eventcheckin')(views.EventCheckOut.as_view()),
+    path('event/checkout/', login_required(views.EventCheckOut.as_view()),
          name='event_checkout'),
-    path('event/<int:pk>/checkin/edit/', permission_required_with_403('RIGS.change_eventcheckin')(views.EventCheckInEdit.as_view()),
+    path('event/<int:pk>/checkin/edit/', login_required(views.EventCheckInEdit.as_view()),
          name='edit_checkin'),
-    path('event/<int:pk>/checkin/add/', permission_required_with_403('RIGS.add_eventcheckin')(views.EventCheckInOverride.as_view()),
+    path('event/<int:pk>/checkin/add/', login_required(views.EventCheckInOverride.as_view()),
          name='event_checkin_override'),
 
     # Finance
diff --git a/RIGS/views/hs.py b/RIGS/views/hs.py
index 0fef4dfb..a2ac9786 100644
--- a/RIGS/views/hs.py
+++ b/RIGS/views/hs.py
@@ -263,6 +263,12 @@ class EventCheckInEdit(generic.UpdateView, ModalURLMixin):
     template_name = 'hs/eventcheckin_form.html'
     form_class = forms.EditCheckInForm
 
+    def dispatch(self, request, *args, **kwargs):
+        obj = self.get_object()
+        if not obj.person == self.request.user and not obj.event.mic == self.request.user:
+            return redirect(self.request.META.get('HTTP_REFERER', '/'))
+        return super().dispatch(request)
+
     def get_success_url(self):
         return self.get_close_url('event_detail', 'event_detail')  # Well, that's one way of doing that...!