Check permissions in bulk action (#473)

ephios/core/views/bulk.py

@@ -4,17 +4,28 @@
 from django.utils.translation import gettext as _
 from django.views import View
 from django.views.generic.base import TemplateResponseMixin
+from guardian.shortcuts import get_objects_for_user
 
-from ephios.core.models import Event
 from ephios.extra.mixins import CustomPermissionRequiredMixin
 
 
 class EventBulkDeleteView(CustomPermissionRequiredMixin, TemplateResponseMixin, View):
     permission_required = "core.delete_event"
     template_name = "core/event_bulk_delete.html"
 
+    def get(self, request, *args, **kwargs):
+        events = get_objects_for_user(request.user, "core.change_event").filter(
+            pk__in=request.GET.getlist("bulk_action")
+        )
+        if not events:
+            messages.info(request, _("No events were selected for deletion."))
+            return redirect(reverse("core:event_list"))
+        return self.render_to_response({"events": events})
+
     def post(self, request, *args, **kwargs):
-        events = Event.objects.filter(pk__in=request.POST.getlist("bulk_action"))
+        events = get_objects_for_user(request.user, "core.change_event").filter(
+            pk__in=request.POST.getlist("bulk_action")
+        )
         if not events:
             messages.info(request, _("No events were selected for deletion."))
             return redirect(reverse("core:event_list"))