Hides information about your booking from other users

If a user is not the owner or a collaborator on a booking,
they should be kept from seeing the booking detail page which may
contain credentials, etc from the lab fulfilling the booking.

Change-Id: I27c383a0e1d017b5d02a7c9a37676f6a968c9270
Signed-off-by: Parker Berberian <pberberian@iol.unh.edu>

diff --git a/src/booking/views.py b/src/booking/views.py
index 9b9860f..a0ea31d 100644 (file)
--- a/src/booking/views.py
+++ b/src/booking/views.py
@@ -103,6 +103,10 @@ def booking_detail_view(request, booking_id):
         return render(request, "dashboard/login.html", {'title': 'Authentication Required'})
 
     booking = get_object_or_404(Booking, id=booking_id)
+    allowed_users = set(list(booking.collaborators.all()))
+    allowed_users.add(booking.owner)
+    if user not in allowed_users:
+        return render(request, "dashboard/login.html", {'title': 'This page is private'})
     return render(request, "booking/booking_detail.html", {
         'title': 'Booking Details',
         'booking': booking,