From ed69a871a531fded2a1c7eabf34297ea2566164f Mon Sep 17 00:00:00 2001
From: rubenwardy <rw@rubenwardy.com>
Date: Wed, 3 Jul 2024 18:06:10 +0100
Subject: [PATCH] Prevent changing package type once approved

Fixes #547
---
 app/logic/packages.py                   | 10 ++++++++--
 app/templates/packages/create_edit.html |  7 ++++++-
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/app/logic/packages.py b/app/logic/packages.py
index ee396fad..7620984c 100644
--- a/app/logic/packages.py
+++ b/app/logic/packages.py
@@ -23,7 +23,7 @@ from flask_babel import lazy_gettext, LazyString
 
 from app.logic.LogicError import LogicError
 from app.models import User, Package, PackageType, MetaPackage, Tag, ContentWarning, db, Permission, AuditSeverity, \
-	License, PackageDevState
+	License, PackageDevState, PackageState
 from app.utils import add_audit_log, has_blocked_domains, diff_dictionaries, describe_difference, normalize_line_endings
 from app.utils.url import clean_youtube_url
 
@@ -131,7 +131,13 @@ def do_edit_package(user: User, package: Package, was_new: bool, was_web: bool,
 			raise LogicError(403, lazy_gettext("Linking to blocked sites is not allowed"))
 
 	if "type" in data:
-		data["type"] = PackageType.coerce(data["type"])
+		new_type = PackageType.coerce(data["type"])
+		if new_type == package.type:
+			pass
+		elif package.state != PackageState.APPROVED:
+			package.type = new_type
+		else:
+			raise LogicError(403, lazy_gettext("You cannot change package type once approved"))
 
 	if "dev_state" in data:
 		data["dev_state"] = PackageDevState.coerce(data["dev_state"])
diff --git a/app/templates/packages/create_edit.html b/app/templates/packages/create_edit.html
index 7db346e6..4a50e824 100644
--- a/app/templates/packages/create_edit.html
+++ b/app/templates/packages/create_edit.html
@@ -66,7 +66,12 @@
 			<legend>{{ _("Package") }}</legend>
 
 			<div class="row">
-			{{ render_field(form.type, class_="pkg_meta col-sm-3") }}
+			{% if package and package.approved %}
+				{{ render_field(form.type, class_="pkg_meta col-sm-3", disabled=True) }}
+				<input type="hidden" name="type" value="{{ form.type.data.to_name() }}">
+			{% else %}
+				{{ render_field(form.type, class_="pkg_meta col-sm-3") }}
+			{% endif %}
 			{{ render_field(form.title, class_="pkg_meta col-sm-5") }}
 			{% if package and package.approved and not package.check_perm(current_user, "CHANGE_NAME") %}
 				{{ render_field(form.name, class_="pkg_meta col-sm-4",