Hotfix drop endpoint permissions

csm_web/scheduler/permissions.py

@@ -113,3 +113,13 @@ def has_permission(self, request, view):
 
     def has_object_permission(self, request, view, obj):
         return bool(request.user and request.user == obj.user)
+
+
+class DestroyIsOwner(permissions.BasePermission):
+    """
+    Grants permission to destroy the resource only if the requester is the user
+    associated with the object.
+    """
+
+    def has_object_permission(self, request, view, obj):
+        return bool(request.user and request.user == obj.user)

csm_web/scheduler/signals.py

@@ -56,7 +56,9 @@ def handle_profile_post_save(sender, **kwargs):
                     )
                     if (
                         models.Profile.objects.filter(
-                            user=profile.user, course__name="CS70", leader=profile.leader
+                            user=profile.user,
+                            course__name="CS70",
+                            leader=profile.leader,
                         ).count()
                         == 1
                     ):

csm_web/scheduler/views.py

@@ -21,7 +21,14 @@
     SpacetimeSerializer,
     OverrideSerializer,
 )
-from .permissions import is_leader, IsLeader, IsLeaderOrReadOnly, IsReadIfOwner, IsOwner
+from .permissions import (
+    is_leader,
+    IsLeader,
+    IsLeaderOrReadOnly,
+    IsReadIfOwner,
+    IsOwner,
+    DestroyIsOwner,
+)
 
 VERBOSE = "verbose"
 USERINFO = "userinfo"
@@ -162,8 +169,12 @@ def get_serializer_class(self):
 
 class DeleteProfile(generics.DestroyAPIView):
     # TODO this looks like it should really have a permission class...
+
+    permission_classes = (DestroyIsOwner,)
+
     def destroy(self, request, *args, **kwargs):
         profile = get_object_or_404(Profile, pk=self.kwargs["pk"])
+        self.check_object_permissions(request, profile)
         if not profile.active:
             raise PermissionDenied(
                 "This profile ({}) has been deactivated".format(profile)