projects
/
cascardo
/
ema.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
92fd5f3
)
avoiding to show the talk detail to everyone but its owner
author
Lincoln de Sousa
<lincoln@alfaiati.net>
Fri, 24 Oct 2008 19:47:43 +0000
(17:47 -0200)
committer
Lincoln de Sousa
<lincoln@alfaiati.net>
Fri, 24 Oct 2008 19:47:43 +0000
(17:47 -0200)
eventos/views.py
patch
|
blob
|
history
diff --git
a/eventos/views.py
b/eventos/views.py
index
f8b8240
..
275958c
100644
(file)
--- a/
eventos/views.py
+++ b/
eventos/views.py
@@
-146,6
+146,10
@@
def speaker_talks(request, lid):
def talk_details(request, tid):
"""Shows a form to edit a talk
"""
def talk_details(request, tid):
"""Shows a form to edit a talk
"""
+ # If the user is not a speaker we should not try to show anything.
+ if not hasattr(request.user, 'palestrante_set'):
+ return forbidden
+
# Selected in settings.py (SITE_ID) variable, because an event can
# be linked with only one site.
event = Evento.objects.get(site__id__exact=settings.SITE_ID)
# Selected in settings.py (SITE_ID) variable, because an event can
# be linked with only one site.
event = Evento.objects.get(site__id__exact=settings.SITE_ID)
@@
-154,6
+158,11
@@
def talk_details(request, tid):
entity = get_object_or_404(Trabalho, pk=tid)
form = TalkForm(request.POST or None, instance=entity)
entity = get_object_or_404(Trabalho, pk=tid)
form = TalkForm(request.POST or None, instance=entity)
+ # avoiding smart people trying to se talks of other speakers.
+ speaker = request.user.palestrante_set.get()
+ if speaker.id != entity.palestrante.id:
+ return forbidden
+
# These fields should not be shown to the user.
form.fields['palestrante'].widget = HiddenInput()
form.fields['evento'].widget = HiddenInput()
# These fields should not be shown to the user.
form.fields['palestrante'].widget = HiddenInput()
form.fields['evento'].widget = HiddenInput()