From 75dd204cd368a8337d25d07b9241531723a9f379 Mon Sep 17 00:00:00 2001
From: eric-intuitem <71850047+eric-intuitem@users.noreply.github.com>
Date: Tue, 7 May 2024 20:16:15 +0200
Subject: [PATCH] add special RBAC logic for approve

add special RBAC logic for approve

There is probably a better way, but this should work fine. We rely on route parsing.
---
 backend/core/permissions.py | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/backend/core/permissions.py b/backend/core/permissions.py
index 4a813ff64..5d1a6acda 100644
--- a/backend/core/permissions.py
+++ b/backend/core/permissions.py
@@ -35,9 +35,16 @@ def has_object_permission(self, request: Request, view, obj):
         _codename = perms[0].split(".")[1]
         if request.method in ["GET", "OPTIONS", "HEAD"] and obj.is_published:
             return True
+        perm = Permission.objects.get(codename=_codename)
+        # special case of risk acceptance approval
+        if (
+            request.parser_context["request"]._request.resolver_match.url_name
+            == "risk-acceptances-accept"
+        ):
+            perm = Permission.objects.get(codename="approve_riskacceptance")
         return RoleAssignment.is_access_allowed(
             user=request.user,
-            perm=Permission.objects.get(codename=_codename),
+            perm=perm,
             folder=Folder.get_folder(obj),
         )