From 0bfc08f81f0f6ce2b9a9c909e986024e2d42111e Mon Sep 17 00:00:00 2001
From: nad <jnadeu@gmail.com>
Date: Mon, 17 Aug 2020 16:30:11 +0200
Subject: [PATCH] Check snapshot permissions only when it comes from Workbench

---
 ereuse_devicehub/resources/action/views.py | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/ereuse_devicehub/resources/action/views.py b/ereuse_devicehub/resources/action/views.py
index b3a74789..c965ff1b 100644
--- a/ereuse_devicehub/resources/action/views.py
+++ b/ereuse_devicehub/resources/action/views.py
@@ -77,10 +77,6 @@ class ActionView(View):
         assert all(not c.actions_one for c in components) if components else True
         db_device, remove_actions = resource_def.sync.run(device, components)
 
-        # Check ownership of (non-component) device to from current.user
-        if(db_device.owner_id != g.user.id):
-            raise InsufficientPermission()
-
         del device  # Do not use device anymore
         snapshot.device = db_device
         snapshot.actions |= remove_actions | actions_device  # Set actions to snapshot
@@ -95,8 +91,11 @@ class ActionView(View):
                 component.actions_one |= actions
                 snapshot.actions |= actions
 
-        # Compute ratings
         if snapshot.software == SnapshotSoftware.Workbench:
+            # Check ownership of (non-component) device to from current.user
+            if db_device.owner_id != g.user.id:
+                raise InsufficientPermission()
+            # Compute ratings
             try:
                 rate_computer, price = RateComputer.compute(db_device)
             except CannotRate: