Fix the access checks for org application submission.
The current access checks are too liberal in giving access to org admins
of any organization to view and edit the org applications of any other
organization which is quite dangerous. This commit fixes the problem by
using the right access checks. The checks include validating the currently
logged in user as an org admin for the org application he is trying to
access and if the application is still not accepted or rejected. There is
no point in allowing org admins to edit the org application questionnaire
after they are accepted or rejected.
Thanks to the org admin with IRC nick olly_ who reported this.
diff --git a/app/summerofcode/views/org_app.py b/app/summerofcode/views/org_app.py
index 830f4a6..2c4a183 100644
@@ -694,8 +694,10 @@
"""View to submit application to a program by organization representatives."""
access_checker = access.ConjuctionAccessChecker([
+ [org_model.Status.APPLYING, org_model.Status.PRE_ACCEPTED,
"""See base.RequestHandler.djangoURLPatterns for specification."""