LIL-237. Check user perms in course detail view

apps/course/views.py

@@ -1,6 +1,7 @@
+from django.contrib.auth import get_user_model
 from django.contrib.auth.decorators import login_required
 from django.db.models import Q
-from django.http import JsonResponse
+from django.http import JsonResponse, Http404
 from django.shortcuts import get_object_or_404
 from django.template import loader, Context, Template
 from django.views.generic import View, CreateView, DetailView, ListView, TemplateView
@@ -9,6 +10,8 @@ from django.views.decorators.http import require_http_methods
 from .models import Course, Like, Lesson, CourseComment, LessonComment
 from .filters import CourseFilter
 
+User = get_user_model()
+
 
 @login_required
 @csrf_exempt
@@ -159,6 +162,14 @@ class CourseView(DetailView):
     context_object_name = 'course'
     template_name = 'course/course.html'
 
+    def get(self, request, *args, **kwargs):
+        request = super().get(request, *args, **kwargs)
+        if (self.object != Course.PUBLISHED and
+                (request.user.role not in [User.AUTHOR_ROLE, User.ADMIN_ROLE] or
+                 object.author != request.user)):
+            raise Http404
+        return request
+
     def get_context_data(self, **kwargs):
         context = super().get_context_data(**kwargs)
         context['next'] = self.request.GET.get('next', None)