From d8cb069766260b0ddbbc7dd1b6f989b4ec5204c8 Mon Sep 17 00:00:00 2001
From: Todd Dembrey <todd.dembrey@torchbox.com>
Date: Wed, 7 Mar 2018 16:21:42 +0000
Subject: [PATCH] Ensure that users can bypass the visibility by providing a
 clean method

---
 opentech/apply/activity/forms.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/opentech/apply/activity/forms.py b/opentech/apply/activity/forms.py
index fd857e845..b1f465448 100644
--- a/opentech/apply/activity/forms.py
+++ b/opentech/apply/activity/forms.py
@@ -16,8 +16,15 @@ class CommentForm(forms.ModelForm):
 
     def __init__(self, *args, user=None, **kwargs):
         super().__init__(*args, **kwargs)
+        self.allowed_visibility = self._meta.model.visibility_for(user)
         self.visibility_choices = self._meta.model.visibility_choices_for(user)
         if len(self.visibility_choices) > 1:
             self.fields['visibility'].choices = self.visibility_choices
         else:
             self.fields['visibility'].widget = forms.HiddenInput()
+
+    def clean_visibility(self):
+        choice = self.cleaned_data['visibility']
+        if choice not in self.allowed_visibility:
+            raise ValidationError('You do not have permission for that visibility.')
+        return choice
-- 
GitLab