diff options
author | Parker Berberian <pberberian@iol.unh.edu> | 2018-10-26 10:52:14 -0400 |
---|---|---|
committer | Parker Berberian <pberberian@iol.unh.edu> | 2018-10-26 10:52:14 -0400 |
commit | 6c22b5efaca347cdd51f1e23b28a246c77736aed (patch) | |
tree | e375f83614db0fa22abdfb3bbff15fc1b86238e9 /src | |
parent | ebc42347105caa2be52a8337372ae4793fe9182c (diff) |
Hides information about your booking from other users
If a user is not the owner or a collaborator on a booking,
they should be kept from seeing the booking detail page which may
contain credentials, etc from the lab fulfilling the booking.
Change-Id: I27c383a0e1d017b5d02a7c9a37676f6a968c9270
Signed-off-by: Parker Berberian <pberberian@iol.unh.edu>
Diffstat (limited to 'src')
-rw-r--r-- | src/booking/views.py | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/src/booking/views.py b/src/booking/views.py index 9b9860f..a0ea31d 100644 --- a/src/booking/views.py +++ b/src/booking/views.py @@ -103,6 +103,10 @@ def booking_detail_view(request, booking_id): return render(request, "dashboard/login.html", {'title': 'Authentication Required'}) booking = get_object_or_404(Booking, id=booking_id) + allowed_users = set(list(booking.collaborators.all())) + allowed_users.add(booking.owner) + if user not in allowed_users: + return render(request, "dashboard/login.html", {'title': 'This page is private'}) return render(request, "booking/booking_detail.html", { 'title': 'Booking Details', 'booking': booking, |