From c0e0ca66eb36121fc919d45ba81766f41f8dc1d1 Mon Sep 17 00:00:00 2001
From: Ivlev Denis <di-erz@yandex.ru>
Date: Wed, 23 May 2018 17:12:59 +0300
Subject: [PATCH 1/2] Fix perms

---
 apps/course/views.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/course/views.py b/apps/course/views.py
index be890e4c..08596935 100644
--- a/apps/course/views.py
+++ b/apps/course/views.py
@@ -167,7 +167,7 @@ class CourseEditView(TemplateView):
             self.object = Course.objects.create(
                 author=request.user,
             )
-        if request.user != self.object.author and request.user.role < User.AUTHOR_ROLE:
+        if (request.user != self.object.author and request.user.role < User.AUTHOR_ROLE) or request.user.role != User.ADMIN_ROLE:
             raise Http404
         return super().get(request)
 

From c1fdd7e47addf34c38bcdd375b2c62c455222eb8 Mon Sep 17 00:00:00 2001
From: nikita <cfwm@yandex.ru>
Date: Wed, 23 May 2018 18:54:49 +0300
Subject: [PATCH 2/2] permission fix

---
 apps/course/views.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/apps/course/views.py b/apps/course/views.py
index 08596935..d55097f7 100644
--- a/apps/course/views.py
+++ b/apps/course/views.py
@@ -289,9 +289,9 @@ class LessonView(DetailView):
 
     def get(self, request, *args, **kwargs):
         response = super().get(request, *args, **kwargs)
-        if (self.object.course.status != Course.PUBLISHED and
-                (request.user.role < User.AUTHOR_ROLE or
-                 self.object.course.author != request.user)):
+        if (self.object.course.status != Course.PUBLISHED and not
+                (request.user.role == User.ADMIN_ROLE or
+                 self.object.course.author == request.user)):
             raise Http404
         return response