From 40172bf8b5cc5e9d6ff2dce1679713915ed103e3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sybren=20A=2E=20St=C3=BCvel?= <sybren@stuvel.eu>
Date: Wed, 23 Aug 2017 13:57:14 +0200
Subject: [PATCH] Orgs: Use create-organization capability to control access

This is more explicit and future-proof than checking for admin cap.
---
 pillar/api/organizations/hooks.py | 2 +-
 pillar/config.py                  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/pillar/api/organizations/hooks.py b/pillar/api/organizations/hooks.py
index fb843d42..84671fd1 100644
--- a/pillar/api/organizations/hooks.py
+++ b/pillar/api/organizations/hooks.py
@@ -18,7 +18,7 @@ def pre_get_organizations(request, lookup):
 
 def pre_post_organizations(request):
     user = current_user()
-    if user.is_anonymous or not user.has_cap('admin'):
+    if not user.has_cap('create-organization'):
         raise wz_exceptions.Forbidden()
 
 
diff --git a/pillar/config.py b/pillar/config.py
index 561d109b..4a04d39e 100644
--- a/pillar/config.py
+++ b/pillar/config.py
@@ -167,5 +167,5 @@ USER_CAPABILITIES = defaultdict(**{
     'subscriber': {'subscriber', 'home-project'},
     'demo': {'subscriber', 'home-project'},
     'admin': {'subscriber', 'home-project', 'video-encoding', 'admin',
-              'view-pending-nodes', 'edit-project-node-types'},
+              'view-pending-nodes', 'edit-project-node-types', 'create-organization'},
 }, default_factory=frozenset)