Commit 9aec9ec4 by Bach Dániel

Merge branch 'issue-306' into 'master'

Add permission check for profile view

Closes #306
parents 8f6b93ba 91be5c4c
...@@ -285,6 +285,25 @@ class ProfileView(LoginRequiredMixin, DetailView): ...@@ -285,6 +285,25 @@ class ProfileView(LoginRequiredMixin, DetailView):
slug_field = "username" slug_field = "username"
slug_url_kwarg = "username" slug_url_kwarg = "username"
def get(self, *args, **kwargs):
user = self.request.user
target = self.get_object()
# get the list of groups where the user is operator
user_g_w_op = GroupProfile.get_objects_with_level("operator", user)
# get the list of groups the "target" (the profile) is member of
target_groups = GroupProfile.objects.filter(
group__in=target.groups.all())
intersection = set(user_g_w_op).intersection(target_groups)
# if the intersection of the 2 lists is empty the logged in user
# has no permission to check the target's profile
# (except if the user want to see his own profile)
if len(intersection) < 1 and target != user:
raise PermissionDenied
return super(ProfileView, self).get(*args, **kwargs)
def get_context_data(self, **kwargs): def get_context_data(self, **kwargs):
context = super(ProfileView, self).get_context_data(**kwargs) context = super(ProfileView, self).get_context_data(**kwargs)
user = self.get_object() user = self.get_object()
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or sign in to comment