- {% if authenticated and mergeform and pull_request.status == 'Open' %}
+ {% if authenticated and mergeform and pull_request.status == 'Open' and repo_admin %}
diff --git a/pagure/ui/fork.py b/pagure/ui/fork.py
index f3a635e..802cfc1 100644
--- a/pagure/ui/fork.py
+++ b/pagure/ui/fork.py
@@ -799,6 +799,9 @@ def set_assignee_requests(repo, requestid, username=None):
if request.status != 'Open':
flask.abort(403, 'Pull-request closed')
+ if not is_repo_admin(repo):
+ flask.abort(403, 'You are not allowed to assign this pull-request')
+
form = pagure.forms.ConfirmationForm()
if form.validate_on_submit():
try:
diff --git a/tests/test_pagure_flask_ui_fork.py b/tests/test_pagure_flask_ui_fork.py
index 6b8c2fd..e1e8bcb 100644
--- a/tests/test_pagure_flask_ui_fork.py
+++ b/tests/test_pagure_flask_ui_fork.py
@@ -1175,7 +1175,7 @@ index 0000000..2a552bb
# No such project
user = tests.FakeUser()
- user.username = 'foo'
+ user.username = 'pingou'
with tests.user_set(pagure.APP, user):
output = self.app.post('/foo/pull-request/1/assign')
self.assertEqual(output.status_code, 404)
@@ -1192,7 +1192,7 @@ index 0000000..2a552bb
'Pagure', output.data)
self.assertIn(
'
PR#1\n'
- ' PR from the feature branch\n
', output.data)
+ ' PR from the feature branch\n', output.data)
self.assertNotIn(
'\n Request assigned',
output.data)
@@ -1217,7 +1217,7 @@ index 0000000..2a552bb
'Pagure', output.data)
self.assertIn(
'
PR#1\n'
- ' PR from the feature branch\n
', output.data)
+ ' PR from the feature branch\n', output.data)
self.assertNotIn(
'\n Request assigned',
output.data)
@@ -1237,7 +1237,7 @@ index 0000000..2a552bb
'Pagure', output.data)
self.assertIn(
'
PR#1\n'
- ' PR from the feature branch\n
', output.data)
+ ' PR from the feature branch\n', output.data)
self.assertIn(
'\n No user "bar" found',
output.data)
@@ -1257,7 +1257,7 @@ index 0000000..2a552bb
'Pagure', output.data)
self.assertIn(
'
PR#1\n'
- ' PR from the feature branch\n
', output.data)
+ ' PR from the feature branch\n', output.data)
self.assertIn(
'\n Request assigned',
output.data)