From 70c27872283e2fc7098c438dc54eacc2b616c8a0 Mon Sep 17 00:00:00 2001 From: Ivlev Denis Date: Wed, 14 Feb 2018 13:41:58 +0300 Subject: [PATCH] LIL-237. Check user perms in lesson detail view --- apps/course/templates/course/course.html | 2 +- apps/course/views.py | 11 ++++++++++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/apps/course/templates/course/course.html b/apps/course/templates/course/course.html index a99f3987..51f12405 100644 --- a/apps/course/templates/course/course.html +++ b/apps/course/templates/course/course.html @@ -212,7 +212,7 @@
Содержание курса
{% for lesson in course.lessons.all %} - +
{{ lesson.title }}
diff --git a/apps/course/views.py b/apps/course/views.py index 48e22845..da8af471 100644 --- a/apps/course/views.py +++ b/apps/course/views.py @@ -166,7 +166,7 @@ class CourseView(DetailView): def get(self, request, *args, **kwargs): response = super().get(request, *args, **kwargs) - if (self.object != Course.PUBLISHED and + if (self.object.status != Course.PUBLISHED and (request.user.role not in [User.AUTHOR_ROLE, User.ADMIN_ROLE] or self.object.author != request.user)): raise Http404 @@ -241,11 +241,20 @@ class CoursesView(ListView): return 'course/courses.html' +@method_decorator(login_required, name='dispatch') class LessonView(DetailView): model = Lesson context_object_name = 'lesson' template_name = 'course/lesson.html' + def get(self, request, *args, **kwargs): + response = super().get(request, *args, **kwargs) + if (self.object.course.status != Course.PUBLISHED and + (request.user.role not in [User.AUTHOR_ROLE, User.ADMIN_ROLE] or + self.object.course.author != request.user)): + raise Http404 + return response + class SearchView(CoursesView): template_name = 'course/result.html'