# HG changeset patch
# User Marcin Lulek <mlulek@rhodecode.com>
# Date 2019-05-16 21:18:23
# Node ID 4898a5726c4aaa8429bef6b0642db91c2f563b06
# Parent  be486c965e1a86af67022fd057588715dccb23e2

watch: add permission check for repo action.

diff --git a/rhodecode/apps/journal/views.py b/rhodecode/apps/journal/views.py
--- a/rhodecode/apps/journal/views.py
+++ b/rhodecode/apps/journal/views.py
@@ -31,12 +31,12 @@ from pyramid.renderers import render
 
 from rhodecode.apps._base import BaseAppView
 from rhodecode.model.db import (
-    or_, joinedload, UserLog, UserFollowing, User, UserApiKeys)
+    or_, joinedload, Repository, UserLog, UserFollowing, User, UserApiKeys)
 from rhodecode.model.meta import Session
 import rhodecode.lib.helpers as h
 from rhodecode.lib.helpers import Page
 from rhodecode.lib.user_log_filter import user_log_filter
-from rhodecode.lib.auth import LoginRequired, NotAnonymous, CSRFRequired
+from rhodecode.lib.auth import LoginRequired, NotAnonymous, CSRFRequired, HasRepoPermissionAny
 from rhodecode.lib.utils2 import safe_int, AttributeDict, md5_safe
 from rhodecode.model.scm import ScmModel
 
@@ -304,7 +304,10 @@ class JournalView(BaseAppView):
                 raise HTTPBadRequest()
 
         repo_id = self.request.POST.get('follows_repo_id')
-        if repo_id:
+        repo = Repository.get_or_404(repo_id)
+        perm_set = ['repository.read', 'repository.write', 'repository.admin']
+        has_perm = HasRepoPermissionAny(*perm_set)(repo.repo_name, 'RepoWatch check')
+        if repo and has_perm:
             try:
                 ScmModel().toggle_following_repo(repo_id, self._rhodecode_user.user_id)
                 Session().commit()