Merge pull request #5606 from akatsoulas/bug-1846733-add-tags

Check if user has permissions to add tags

kitsune/questions/api.py

@@ -236,6 +236,15 @@ def has_object_permission(self, request, view, obj):
         return super().has_object_permission(request, view, obj)
 
 
+class HasAddTagPermissions(permissions.BasePermission):
+    def has_object_permission(self, request, view, obj):
+        """Simple permision check to match the one from the question view."""
+
+        if not request.user.has_perm("questions.tag_question"):
+            return False
+        return super().has_object_permission(request, view, obj)
+
+
 class QuestionViewSet(viewsets.ModelViewSet):
     serializer_class = QuestionSerializer
     queryset = Question.objects.all()
@@ -359,7 +368,11 @@ def take(self, request, pk=None):
 
         return Response(status=status.HTTP_204_NO_CONTENT)
 
-    @action(detail=True, methods=["post"], permission_classes=[permissions.IsAuthenticated])
+    @action(
+        detail=True,
+        methods=["post"],
+        permission_classes=[permissions.IsAuthenticated, HasAddTagPermissions],
+    )
     def add_tags(self, request, pk=None):
         question = self.get_object()
 

kitsune/questions/tests/test_api.py

@@ -477,6 +477,7 @@ def test_add_tags(self):
 
         u = UserFactory()
         add_permission(u, Tag, "add_tag")
+        add_permission(u, Question, "tag_question")
         self.client.force_authenticate(user=u)
 
         res = self.client.post(