summaryrefslogtreecommitdiffstats
path: root/dashboard/src/booking
diff options
context:
space:
mode:
authorParker Berberian <pberberian@iol.unh.edu>2018-10-26 10:52:14 -0400
committerParker Berberian <pberberian@iol.unh.edu>2018-10-26 10:52:14 -0400
commitf53ba6c4db78bb1ddfc6eb72938d688b5970f284 (patch)
tree593d890f6e901a01318c048a2cb74f42f0a1bd65 /dashboard/src/booking
parentd6e337fa62c32155941333fe8fedc28e4f663700 (diff)
Hides information about your booking from other users
If a user is not the owner or a collaborator on a booking, they should be kept from seeing the booking detail page which may contain credentials, etc from the lab fulfilling the booking. Change-Id: I27c383a0e1d017b5d02a7c9a37676f6a968c9270 Signed-off-by: Parker Berberian <pberberian@iol.unh.edu>
Diffstat (limited to 'dashboard/src/booking')
-rw-r--r--dashboard/src/booking/views.py4
1 files changed, 4 insertions, 0 deletions
diff --git a/dashboard/src/booking/views.py b/dashboard/src/booking/views.py
index 9b9860f..a0ea31d 100644
--- a/dashboard/src/booking/views.py
+++ b/dashboard/src/booking/views.py
@@ -103,6 +103,10 @@ def booking_detail_view(request, booking_id):
return render(request, "dashboard/login.html", {'title': 'Authentication Required'})
booking = get_object_or_404(Booking, id=booking_id)
+ allowed_users = set(list(booking.collaborators.all()))
+ allowed_users.add(booking.owner)
+ if user not in allowed_users:
+ return render(request, "dashboard/login.html", {'title': 'This page is private'})
return render(request, "booking/booking_detail.html", {
'title': 'Booking Details',
'booking': booking,