From 9ae236629d65dee837218f60751c29a57df1f18b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=BC=A0=E5=AD=A6=E5=B3=B0?= <wb-zxf699644@alibaba-inc.com>
Date: Fri, 12 Aug 2022 17:27:37 +0800
Subject: [PATCH] fix: requirement rw permission

---
 services/requirement_service.py | 4 ++--
 views/requirement_view.py       | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/services/requirement_service.py b/services/requirement_service.py
index 6b2b21c..84e4505 100644
--- a/services/requirement_service.py
+++ b/services/requirement_service.py
@@ -32,13 +32,13 @@ async def create_requirement(data, owner):
     return result.to_dict(), True
 
 
-async def get_requirement_by_id(req_id, person):
+async def get_requirement_by_id(req_id, user):
     rq = await Requirement.query_dict_one(Requirement.id == req_id)
     if not rq:
         return ERROR_NO_REQUIREMENT_PERMISSION, False
     person_list = rq['assignee'].split()
     person_list.append(rq['owner'])
-    if person not in person_list:
+    if user['user_name'] not in person_list or user['role'] == User_Role.JUNIOR.value:
         return ERROR_NO_REQUIREMENT_PERMISSION, False
     return rq, True
 
diff --git a/views/requirement_view.py b/views/requirement_view.py
index 52c26a9..ff1622b 100644
--- a/views/requirement_view.py
+++ b/views/requirement_view.py
@@ -29,7 +29,7 @@ async def query(request, user_infos):
 @bp.get('/<req_id>')
 @login_auth
 async def get_requirement(_, req_id, user_infos):
-    result, ok = await get_requirement_by_id(req_id, user_infos['user_name'])
+    result, ok = await get_requirement_by_id(req_id, user_infos)
     if not ok:
         return rsp(code=500, msg=result)
     return rsp(data=result)
-- 
Gitee