If a user is not the owner or a collaborator on a booking,
they should be kept from seeing the booking detail page which may
contain credentials, etc from the lab fulfilling the booking.
Change-Id: I27c383a0e1d017b5d02a7c9a37676f6a968c9270
Signed-off-by: Parker Berberian <pberberian@iol.unh.edu>
return render(request, "dashboard/login.html", {'title': 'Authentication Required'})
booking = get_object_or_404(Booking, id=booking_id)
+ allowed_users = set(list(booking.collaborators.all()))
+ allowed_users.add(booking.owner)
+ if user not in allowed_users:
+ return render(request, "dashboard/login.html", {'title': 'This page is private'})
return render(request, "booking/booking_detail.html", {
'title': 'Booking Details',
'booking': booking,