From 7648c04fb2700edc5dd61ccebb19b26bb9d332ba Mon Sep 17 00:00:00 2001
From: Andrew Williams <andy@tensixtyone.com>
Date: Thu, 19 May 2011 11:31:31 +0100
Subject: [PATCH] Check the requester is in the parent group

---
 app/groups/views.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/app/groups/views.py b/app/groups/views.py
index 1f11417..5a7c085 100644
--- a/app/groups/views.py
+++ b/app/groups/views.py
@@ -64,6 +64,9 @@ def create_request(request, groupid):
     if request.user in group.user_set.all() or not group.groupinformation.requestable:
         return HttpResponseRedirect(reverse('groups.views.group_list'))
 
+    if group.groupinformation.parent and not group.groupinformation.parent in request.user.groups.all():
+       return HttpResponseRedirect(reverse('groups.views.group_list'))
+
     if group.requests.filter(status=REQUEST_PENDING,user=request.user).count():
         messages.add_message(request, messages.INFO, "You already have a pending request for %s" % group.name)
         return HttpResponseRedirect(reverse('groups.views.group_list'))