From 1e0f81fbb31f4060ed6142f2ae2002d88c83e56d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Madis=20M=C3=A4gi?= <madis.magi@k-space.ee>
Date: Sat, 27 Jul 2024 23:27:39 +0300
Subject: [PATCH] Fix edit permissions check

---
 inventory-app/inventory.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/inventory-app/inventory.py b/inventory-app/inventory.py
index a33e2bb..beb6627 100644
--- a/inventory-app/inventory.py
+++ b/inventory-app/inventory.py
@@ -143,13 +143,13 @@ def check_edit_permission(item_id):
     item = db.inventory.find_one(filter = { "_id": ObjectId(item_id) }, projection = { "inventory.owner": 1 })
     if not item:
         return False
-    item_username = item.get("inventory", {}).get("owner", {}).get("username", False)
-    user_username = user.get("username", False)
     user_groups = user.get("groups", [])
-    if not item_username or not user_username:
-        return False
     if any(group in user_groups for group in ["k-space:board", "k-space:kubernetes:admins"]):
         return True
+    item_username = item.get("inventory", {}).get("owner", {}).get("username", False)
+    user_username = user.get("username", False)
+    if not item_username or not user_username:
+        return False
     return item_username == user_username
 
 @page_inventory.route("/m/inventory/<item_id>/edit", methods=['GET'])