From de61afcbf3b458518c743b6f3db8767701b04129 Mon Sep 17 00:00:00 2001 From: hernani Date: Thu, 29 Apr 2010 01:11:04 +0000 Subject: [PATCH] Some other user private stuff was not being properly checked. git-svn-id: http://svn.osqa.net/svnroot/osqa/trunk@90 0cfe37f9-358a-4d5e-be75-b63607b5c754 --- forum/views/auth.py | 2 +- forum/views/users.py | 13 ++++++++----- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/forum/views/auth.py b/forum/views/auth.py index ca8d716..cda0a81 100644 --- a/forum/views/auth.py +++ b/forum/views/auth.py @@ -313,7 +313,7 @@ def auth_settings(request): def remove_external_provider(request, id): association = get_object_or_404(AuthKeyUserAssociation, id=id) if not association.user == request.user: - raise HttpResponseForbidden() + return HttpResponseForbidden() request.user.message_set.create(message=_("You removed the association with %s") % association.provider) association.delete() return HttpResponseRedirect(reverse('user_authsettings')) diff --git a/forum/views/users.py b/forum/views/users.py index c64764e..543d5c7 100644 --- a/forum/views/users.py +++ b/forum/views/users.py @@ -135,10 +135,13 @@ def edit_user(request, id): -def user_view(template, tab_name, tab_description, page_title): +def user_view(template, tab_name, tab_description, page_title, private=False): def decorator(fn): def decorated(request, id, slug=None): - context = fn(request, get_object_or_404(User, id=id)) + user = get_object_or_404(User, id=id) + if private and not user == request.user: + return HttpResponseForbidden() + context = fn(request, user) context.update({ "tab_name" : tab_name, "tab_description" : tab_description, @@ -193,7 +196,7 @@ def user_recent(request, user): return {"view_user" : user, "activities" : activities} -@user_view('users/votes.html', 'votes', _('user vote record'), _('profile - votes')) +@user_view('users/votes.html', 'votes', _('user vote record'), _('profile - votes'), True) def user_votes(request, user): votes = user.votes.exclude(node__deleted=True).order_by('-voted_at')[:USERS_PAGE_SIZE] @@ -211,13 +214,13 @@ def user_reputation(request, user): return {"view_user": user, "reputation": reputation, "graph_data": graph_data} -@user_view('users/questions.html', 'favorites', _('favorite questions'), _('profile - favorite questions')) +@user_view('users/questions.html', 'favorites', _('favorite questions'), _('profile - favorite questions'), True) def user_favorites(request, user): questions = user.favorite_questions.filter(deleted=False) return {"questions" : questions, "view_user" : user} -@user_view('users/subscriptions.html', 'subscriptions', _('subscription settings'), _('profile - subscriptions')) +@user_view('users/subscriptions.html', 'subscriptions', _('subscription settings'), _('profile - subscriptions'), True) def user_subscriptions(request, user): if request.method == 'POST': form = SubscriptionSettingsForm(request.POST) -- 2.39.5