avoiding to show the talk detail to everyone but its owner

author Lincoln de Sousa <lincoln@alfaiati.net>

Fri, 24 Oct 2008 19:47:43 +0000 (17:47 -0200)

committer Lincoln de Sousa <lincoln@alfaiati.net>

Fri, 24 Oct 2008 19:47:43 +0000 (17:47 -0200)
author Lincoln de Sousa <lincoln@alfaiati.net>
Fri, 24 Oct 2008 19:47:43 +0000 (17:47 -0200)
committer Lincoln de Sousa <lincoln@alfaiati.net>
Fri, 24 Oct 2008 19:47:43 +0000 (17:47 -0200)
diff --git a/eventos/views.py b/eventos/views.py

index f8b8240..275958c 100644 (file)
--- a/eventos/views.py
+++ b/eventos/views.py
@@ -146,6 +146,10 @@ def speaker_talks(request, lid):
  def talk_details(request, tid):
      """Shows a form to edit a talk
      """
+    # If the user is not a speaker we should not try to show anything.
+    if not hasattr(request.user, 'palestrante_set'):
+        return forbidden
+
      # Selected in settings.py (SITE_ID) variable, because an event can
      # be linked with only one site.
      event = Evento.objects.get(site__id__exact=settings.SITE_ID)
@@ -154,6 +158,11 @@ def talk_details(request, tid):
      entity = get_object_or_404(Trabalho, pk=tid)
      form = TalkForm(request.POST or None, instance=entity)
  
+    # avoiding smart people trying to se talks of other speakers.
+    speaker = request.user.palestrante_set.get()
+    if speaker.id != entity.palestrante.id:
+        return forbidden
+
      # These fields should not be shown to the user.
      form.fields['palestrante'].widget = HiddenInput()
      form.fields['evento'].widget = HiddenInput()
author	Lincoln de Sousa <lincoln@alfaiati.net>
	Fri, 24 Oct 2008 19:47:43 +0000 (17:47 -0200)
committer	Lincoln de Sousa <lincoln@alfaiati.net>
	Fri, 24 Oct 2008 19:47:43 +0000 (17:47 -0200)