From 56df0634d633988ddafd724eae312c20a2caca92 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jes=C3=BAs=20Espino?= <jesus.espino@kaleidos.net>
Date: Wed, 26 Mar 2014 14:22:10 +0100
Subject: [PATCH] Now users have better permissions management

---
 taiga/base/users/api.py | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/taiga/base/users/api.py b/taiga/base/users/api.py
index 2474b012..481aba4a 100644
--- a/taiga/base/users/api.py
+++ b/taiga/base/users/api.py
@@ -29,9 +29,15 @@ class MembersFilterBackend(BaseFilterBackend):
         if project_id:
             Project = get_model('projects', 'Project')
             project = get_object_or_404(Project, pk=project_id)
-            return queryset.filter(Q(memberships__project=project) | Q(id=project.owner.id)).distinct()
+            if project.memberships.filter(user=request.user).exists() or project.owner ==request.user:
+                return queryset.filter(Q(memberships__project=project) | Q(id=project.owner.id)).distinct()
+            else:
+                raise exc.PermissionDenied(_("You don't have permisions to see this project users."))
         else:
-            return queryset
+            if request.user.is_superuser:
+                return queryset
+            else:
+                raise exc.PermissionDenied(_("You don't have permisions to see all users."))
 
 class PermissionsViewSet(ModelListViewSet):
     permission_classes = (IsAuthenticated,)