From 648593cdf9a1eec2d719feaf9054b522102d9fb2 Mon Sep 17 00:00:00 2001
From: Joshua Beretta <joshuaberetta@gmail.com>
Date: Mon, 17 May 2021 19:39:13 +0000
Subject: [PATCH] apply changes to branch off master

---
 kpi/views/v2/user.py | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/kpi/views/v2/user.py b/kpi/views/v2/user.py
index 5a98a2d7cc..d29637bc68 100644
--- a/kpi/views/v2/user.py
+++ b/kpi/views/v2/user.py
@@ -32,8 +32,10 @@ def list(self, request, *args, **kwargs):
             url_path=r'migrate(?:/(?P<task_id>[\d\w\-]+))?')
     def migrate(self, request, task_id: str = None, **kwargs):
         """
-        A really basic endpoint what allows super users to migration projects
-        from KoBoCAT.
+        A temporary endpoint that allows superusers to migrate other users'
+        projects, and users to migrate their own projects, from Kobocat to KPI.
+        This is required while users transition from the legacy interface to
+        the new.
 
         1. Call this endpoint with `?username=<username>`
         2. Fetch url provided to check the state of the Celery task.
@@ -47,7 +49,12 @@ def migrate(self, request, task_id: str = None, **kwargs):
 
         """
 
-        if not request.user.is_superuser:
+        request_user = request.user
+        migrate_user = kwargs.get('username')
+        if request_user.is_anonymous or (
+            not request_user.is_superuser
+            and request_user.username != migrate_user
+        ):
             raise exceptions.PermissionDenied()
 
         if task_id: