From a00538a8ed821e808724d5c2f8067b7bfa7a4c05 Mon Sep 17 00:00:00 2001 From: Ivlev Denis Date: Wed, 14 Feb 2018 13:29:07 +0300 Subject: [PATCH] LIL-237. Check user perms in course detail view --- apps/course/views.py | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/apps/course/views.py b/apps/course/views.py index b41115ff..6efa9f88 100644 --- a/apps/course/views.py +++ b/apps/course/views.py @@ -1,6 +1,7 @@ +from django.contrib.auth import get_user_model from django.contrib.auth.decorators import login_required from django.db.models import Q -from django.http import JsonResponse +from django.http import JsonResponse, Http404 from django.shortcuts import get_object_or_404 from django.template import loader, Context, Template from django.views.generic import View, CreateView, DetailView, ListView, TemplateView @@ -9,6 +10,8 @@ from django.views.decorators.http import require_http_methods from .models import Course, Like, Lesson, CourseComment, LessonComment from .filters import CourseFilter +User = get_user_model() + @login_required @csrf_exempt @@ -159,6 +162,14 @@ class CourseView(DetailView): context_object_name = 'course' template_name = 'course/course.html' + def get(self, request, *args, **kwargs): + request = super().get(request, *args, **kwargs) + if (self.object != Course.PUBLISHED and + (request.user.role not in [User.AUTHOR_ROLE, User.ADMIN_ROLE] or + object.author != request.user)): + raise Http404 + return request + def get_context_data(self, **kwargs): context = super().get_context_data(**kwargs) context['next'] = self.request.GET.get('next', None)