From eb722f950b6ecc780e548c86dc42e5e45b17fc75 Mon Sep 17 00:00:00 2001 From: Sebastian Lohff Date: Mon, 27 Mar 2017 02:53:19 +0200 Subject: [PATCH] Protect rrequests --- rrequests/views.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rrequests/views.py b/rrequests/views.py index 4f84af9..8e3ad54 100644 --- a/rrequests/views.py +++ b/rrequests/views.py @@ -4,6 +4,7 @@ from django.urls import reverse from django.views.generic import FormView from django.contrib.auth.mixins import LoginRequiredMixin from django.contrib.auth.decorators import login_required +from django.db.models import Q from django.utils import timezone @@ -53,7 +54,8 @@ class RrequestCreate(LoginRequiredMixin, FormView): @login_required def rrequestDetail(request, pk): - reqObj = get_object_or_404(Request, pk=pk) + mnts = request.user.maintainer_set.all() + reqObj = get_object_or_404(Request.objects.filter(Q(provider__in=mnts) | Q(applicant__in=mnts)), pk=pk) mnts = request.user.maintainer_set.all() formClass = None