From 648753a68a9bde5efa89393ab0e89803bcd858ca Mon Sep 17 00:00:00 2001
From: Basraah <basraaheve@gmail.com>
Date: Sun, 4 Dec 2016 13:02:25 +1000
Subject: [PATCH] Prevent users requesting or leaving non-joinable groups

I have not prevented users joining hidden groups however, as
there may be some use cases where the direct link is provided
for users to request access to the group.

Also prevent users generating leave requests for groups they
are not a member of.
---
 groupmanagement/views.py | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/groupmanagement/views.py b/groupmanagement/views.py
index 71782c6d..e79ab0da 100755
--- a/groupmanagement/views.py
+++ b/groupmanagement/views.py
@@ -246,6 +246,11 @@ def groups_view(request):
 def group_request_add(request, group_id):
     logger.debug("group_request_add called by user %s for group id %s" % (request.user, group_id))
     group = Group.objects.get(id=group_id)
+    if not joinable_group(group):
+        logger.warning("User %s attempted to join group id %s but it is not a joinable group" %
+                       (request.user, group_id))
+        messages.warning(request, "You cannot join that group")
+        return redirect('auth_groups')
     if OpenGroup.objects.filter(group=group).exists():
         logger.info("%s joining %s as is an open group" % (request.user, group))
         request.user.groups.add(group)
@@ -267,6 +272,16 @@ def group_request_add(request, group_id):
 def group_request_leave(request, group_id):
     logger.debug("group_request_leave called by user %s for group id %s" % (request.user, group_id))
     group = Group.objects.get(id=group_id)
+    if not joinable_group(group):
+        logger.warning("User %s attempted to leave group id %s but it is not a joinable group" %
+                       (request.user, group_id))
+        messages.warning(request, "You cannot leave that group")
+        return redirect('auth_groups')
+    if group not in request.user.groups.all():
+        logger.debug("User %s attempted to leave group id %s but they are not a member" %
+                     (request.user, group_id))
+        messages.warning(request, "You are not a member of that group")
+        return redirect('auth_groups')
     if OpenGroup.objects.filter(group=group).exists():
         logger.info("%s leaving %s as is an open group" % (request.user, group))
         request.user.groups.remove(group)