From 732c86b6fb80f5472c8e277309942bf8424ee4f6 Mon Sep 17 00:00:00 2001
From: Alexander Kalinovsky <a@k8y.ru>
Date: Fri, 21 Mar 2025 18:46:22 +0700
Subject: [PATCH] fix permission checks for command forms

---
 .../bot/handlers/editors/main_callbacks.py    | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/src/qbot/bot/handlers/editors/main_callbacks.py b/src/qbot/bot/handlers/editors/main_callbacks.py
index 666a0a1..05f6577 100644
--- a/src/qbot/bot/handlers/editors/main_callbacks.py
+++ b/src/qbot/bot/handlers/editors/main_callbacks.py
@@ -260,14 +260,19 @@ async def process_field_edit_callback(message: Message | CallbackQuery, **kwargs
 
             # What if user has several roles and each role has its own ownership field? Should we allow creation even
             # if user has no CREATE_ALL permission
-            user_permissions = get_user_permissions(user, entity_descriptor)
 
-            for role in user.roles:
-                if (
-                    role in entity_descriptor.ownership_fields
-                    and EntityPermission.CREATE_ALL not in user_permissions
-                ):
-                    entity_data[entity_descriptor.ownership_fields[role]] = user.id
+            if callback_data.context in [
+                CommandContext.ENTITY_CREATE,
+                CommandContext.ENTITY_EDIT,
+            ]:
+                user_permissions = get_user_permissions(user, entity_descriptor)
+
+                for role in user.roles:
+                    if (
+                        role in entity_descriptor.ownership_fields
+                        and EntityPermission.CREATE_ALL not in user_permissions
+                    ):
+                        entity_data[entity_descriptor.ownership_fields[role]] = user.id
 
             deser_entity_data = {
                 key: await deserialize(