Code Review / pharos-tools.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: d6e337f)
Hides information about your booking from other users 75/64075/1
authorParker Berberian <pberberian@iol.unh.edu>
Fri, 26 Oct 2018 14:52:14 +0000 (10:52 -0400)
committerParker Berberian <pberberian@iol.unh.edu>
Fri, 26 Oct 2018 14:52:14 +0000 (10:52 -0400)
If a user is not the owner or a collaborator on a booking,
they should be kept from seeing the booking detail page which may
contain credentials, etc from the lab fulfilling the booking.

Change-Id: I27c383a0e1d017b5d02a7c9a37676f6a968c9270
Signed-off-by: Parker Berberian <pberberian@iol.unh.edu>
dashboard/src/booking/views.py patch | blob | history

diff --git a/dashboard/src/booking/views.py b/dashboard/src/booking/views.py
index 9b9860f..a0ea31d 100644 (file)
--- a/dashboard/src/booking/views.py
+++ b/dashboard/src/booking/views.py
@@ -103,6 +103,10 @@ def booking_detail_view(request, booking_id):
         return render(request, "dashboard/login.html", {'title': 'Authentication Required'})
 
     booking = get_object_or_404(Booking, id=booking_id)
+    allowed_users = set(list(booking.collaborators.all()))
+    allowed_users.add(booking.owner)
+    if user not in allowed_users:
+        return render(request, "dashboard/login.html", {'title': 'This page is private'})
     return render(request, "booking/booking_detail.html", {
         'title': 'Booking Details',
         'booking': booking,