Check permissions and ownership when changing a project

Fixes #10

src/app/models/project.py

@@ -133,6 +133,10 @@ def get_user_permissions(userid, projectid):
     return [0, 0, 0]
 
 
+def is_owner(userid, projectid):
+    return projectid in get_projects_by_owner(userid)
+
+
 def get_projects_by_status_and_category(categoryid, project_status):
     """
     Retrieve all projects from a category with a specific status

src/app/views/project.py

@@ -28,7 +28,7 @@ class Project:
         try:
             permissions = models.project.get_user_permissions(str(session.userid), data.projectid)
         except:
-            permissions = [0,0,0]
+            permissions = [0, 0, 0]
 
         categories = models.project.get_categories()
 
@@ -48,15 +48,16 @@ class Project:
         data = web.input(myfile={}, deliver=None, accepted=None, declined=None, projectid=0)
         fileitem = data['myfile']
 
-        permissions = models.project.get_user_permissions(str(session.userid), data.projectid)
+        read_permission, write_permission, modify_permission = models.project.get_user_permissions(str(session.userid), data.projectid)
         categories = models.project.get_categories()
         tasks = models.project.get_tasks_by_project_id(data.projectid)
+        is_owner = models.project.is_owner(session.userid, data.projectid)
 
         # Upload file (if present)
         try:
             if fileitem.filename:
                 # Check if user has write permission
-                if not permissions[1]:
+                if not write_permission:
                     raise web.seeother(('/project?projectid=' + data.projectid))
 
                 fn = fileitem.filename
@@ -89,11 +90,11 @@ class Project:
                     task_delivered = True
 
         # Deliver task
-        if data.deliver and not task_delivered:
+        if data.deliver and not task_delivered and modify_permission:
             models.project.update_task_status(data.taskid, "delivered")
 
         # Accept task delivery
-        elif data.accepted:
+        elif data.accepted and is_owner:
             models.project.update_task_status(data.taskid, "accepted")
 
             # If all tasks are accepted then update project status to finished
@@ -106,7 +107,7 @@ class Project:
                 models.project.update_project_status(str(data.projectid), "finished")
 
         # Decline task delivery
-        elif data.declined:
+        elif data.declined and is_owner:
             models.project.update_task_status(data.taskid, "declined")
 
         raise web.seeother(('/project?projectid=' + data.projectid))