diff options
Diffstat (limited to 'postgresqleu')
| -rw-r--r-- | postgresqleu/confreg/views.py | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/postgresqleu/confreg/views.py b/postgresqleu/confreg/views.py index ad242ae3..0b1b3530 100644 --- a/postgresqleu/confreg/views.py +++ b/postgresqleu/confreg/views.py @@ -4119,6 +4119,10 @@ def crossmailoptions(request): # We can safely get the conference directly here, since we won't be using any # date/time information and thus don't need the timezone to be set. conf = get_object_or_404(Conference, id=get_int_or_error(request.GET, 'conf')) + if not request.user.is_superuser: + # Need to verify conference series permissions for non-superuser + if not conf.series.administrators.filter(pk=request.user.id).exists(): + return HttpResponseForbidden() # Get a list of different crossmail options for this conference. Note that # each of them must have an implementation in _get_one_filter() or bad things |