aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorParker Berberian <pberberian@iol.unh.edu>2018-10-26 10:52:14 -0400
committerParker Berberian <pberberian@iol.unh.edu>2018-10-26 10:52:14 -0400
commit6c22b5efaca347cdd51f1e23b28a246c77736aed (patch)
treee375f83614db0fa22abdfb3bbff15fc1b86238e9 /src
parentebc42347105caa2be52a8337372ae4793fe9182c (diff)
Hides information about your booking from other users
If a user is not the owner or a collaborator on a booking, they should be kept from seeing the booking detail page which may contain credentials, etc from the lab fulfilling the booking. Change-Id: I27c383a0e1d017b5d02a7c9a37676f6a968c9270 Signed-off-by: Parker Berberian <pberberian@iol.unh.edu>
Diffstat (limited to 'src')
-rw-r--r--src/booking/views.py4
1 files changed, 4 insertions, 0 deletions
diff --git a/src/booking/views.py b/src/booking/views.py
index 9b9860f..a0ea31d 100644
--- a/src/booking/views.py
+++ b/src/booking/views.py
@@ -103,6 +103,10 @@ def booking_detail_view(request, booking_id):
return render(request, "dashboard/login.html", {'title': 'Authentication Required'})
booking = get_object_or_404(Booking, id=booking_id)
+ allowed_users = set(list(booking.collaborators.all()))
+ allowed_users.add(booking.owner)
+ if user not in allowed_users:
+ return render(request, "dashboard/login.html", {'title': 'This page is private'})
return render(request, "booking/booking_detail.html", {
'title': 'Booking Details',
'booking': booking,