From 0ead6604ffa847cba82b299948137102a4c97f45 Mon Sep 17 00:00:00 2001
From: Thibaud Duquennoy <thibaud@duquennoy.fr>
Date: Tue, 12 Mar 2019 03:29:01 +0100
Subject: [PATCH] bugfix: auto_author gives permission to everybody(#99)

bugfix: auto_author gives permission to everybody(#99)
---
 djangoldp/serializers.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/djangoldp/serializers.py b/djangoldp/serializers.py
index 7107a004..ad46029c 100644
--- a/djangoldp/serializers.py
+++ b/djangoldp/serializers.py
@@ -206,9 +206,11 @@ class LDPSerializer(HyperlinkedModelSerializer):
 
         if self.context['request'].user.is_anonymous:
             data['permissions'] += permissions.AnonymousReadOnly.anonymous_perms
-        elif self.context['request'].user.is_authenticated:
+        elif self.context['request'].user.is_authenticated and hasattr(obj._meta, 'auto_author'):
             if hasattr(obj._meta, 'auto_author'):
-                data['permissions'] += permissions.AnonymousReadOnly.author_perms
+                author = getattr(obj, obj._meta.auto_author)
+                if author == self.context['request'].user:
+                    data['permissions'] += permissions.AnonymousReadOnly.author_perms
             else:
                 data['permissions'] += permissions.AnonymousReadOnly.authenticated_perms                               
 
-- 
GitLab