From 76c69d3841789b6c42f73383c0aa957c5f6c5e82 Mon Sep 17 00:00:00 2001
From: Mikolaj Izdebski <mizdebsk@redhat.com>
Date: Apr 26 2017 15:26:09 +0000
Subject: [copr] Only owner and admin should be allowed to edit Copr requests


---

diff --git a/koschei/plugins/copr_plugin/frontend.py b/koschei/plugins/copr_plugin/frontend.py
index 67f67ec..d3f2a8c 100644
--- a/koschei/plugins/copr_plugin/frontend.py
+++ b/koschei/plugins/copr_plugin/frontend.py
@@ -119,6 +119,8 @@ def edit_rebuild():
         .filter_by(request_id=form.request_id.data,
                    package_id=form.package_id.data)\
         .first_or_404()
+    if rebuild.request.user_id != g.user.id and not g.user.admin:
+        abort(403)
     if form.action.data == 'move-top':
         db.query(CoprRebuild)\
             .filter(CoprRebuild.request_id == rebuild.request_id)\