From 3993a51f6c7b12c8251b4d99a9490d2df072f904 Mon Sep 17 00:00:00 2001
From: Julian Weng <julian.weng.us@gmail.com>
Date: Wed, 13 Nov 2024 12:44:41 -0500
Subject: [PATCH] Consolidate approval_history perms into ClubPermission

---
 backend/clubs/permissions.py | 8 +++++---
 backend/clubs/views.py       | 2 --
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/backend/clubs/permissions.py b/backend/clubs/permissions.py
index daf103333..664c0775c 100644
--- a/backend/clubs/permissions.py
+++ b/backend/clubs/permissions.py
@@ -116,6 +116,8 @@ class ClubPermission(permissions.BasePermission):
 
     Anyone should be able to view, if the club is approved.
     Otherwise, only members or people with permission should be able to view.
+
+    Actions default to owners/officers only unless specified below.
     """
 
     def has_object_permission(self, request, view, obj):
@@ -163,7 +165,7 @@ def has_object_permission(self, request, view, obj):
         if membership is None:
             return False
         # user has to be an owner to delete a club, an officer to edit it
-        if view.action in ["destroy"]:
+        if view.action in {"destroy"}:
             return membership.role <= Membership.ROLE_OWNER
         else:
             return membership.role <= Membership.ROLE_OFFICER
@@ -171,7 +173,9 @@ def has_object_permission(self, request, view, obj):
     def has_permission(self, request, view):
         if view.action in {
             "children",
+            "create",
             "destroy",
+            "history",
             "parents",
             "partial_update",
             "update",
@@ -179,8 +183,6 @@ def has_permission(self, request, view):
             "upload_file",
         }:
             return request.user.is_authenticated
-        elif view.action in {"create"}:
-            return request.user.is_authenticated
         else:
             return True
 
diff --git a/backend/clubs/views.py b/backend/clubs/views.py
index 1b32cf83d..7210e7a2e 100644
--- a/backend/clubs/views.py
+++ b/backend/clubs/views.py
@@ -18,7 +18,6 @@
 import pytz
 import qrcode
 import requests
-import rest_framework
 from asgiref.sync import async_to_sync
 from channels.layers import get_channel_layer
 from CyberSource import (
@@ -1279,7 +1278,6 @@ def upload_file(self, request, *args, **kwargs):
         return file_upload_endpoint_helper(request, code=club.code)
 
     @action(detail=True, methods=["get"])
-    @rest_framework.decorators.permission_classes([ClubSensitiveItemPermission])
     def history(self, request, *args, **kwargs):
         """
         Return a simplified approval history for the club.