protected views from being used by wrong people
This commit is contained in:
Brian Rosner
parent
e7c6055b3f
commit
aafc4e003e
1 changed files with 7 additions and 0 deletions
|
|
@ -400,6 +400,9 @@ def result_notification_prepare(request, section_slug, status):
|
||||||
if request.method != "POST":
|
if request.method != "POST":
|
||||||
return HttpResponseNotAllowed(["POST"])
|
return HttpResponseNotAllowed(["POST"])
|
||||||
|
|
||||||
|
if not request.user.has_perm("reviews.can_manage_%s" % section_slug):
|
||||||
|
return access_not_permitted(request)
|
||||||
|
|
||||||
proposal_pks = []
|
proposal_pks = []
|
||||||
try:
|
try:
|
||||||
for pk in request.POST.getlist("_selected_action"):
|
for pk in request.POST.getlist("_selected_action"):
|
||||||
|
|
@ -430,10 +433,14 @@ def result_notification_prepare(request, section_slug, status):
|
||||||
return render(request, "reviews/result_notification_prepare.html", ctx)
|
return render(request, "reviews/result_notification_prepare.html", ctx)
|
||||||
|
|
||||||
|
|
||||||
|
@login_required
|
||||||
def result_notification_send(request, section_slug, status):
|
def result_notification_send(request, section_slug, status):
|
||||||
if request.method != "POST":
|
if request.method != "POST":
|
||||||
return HttpResponseNotAllowed(["POST"])
|
return HttpResponseNotAllowed(["POST"])
|
||||||
|
|
||||||
|
if not request.user.has_perm("reviews.can_manage_%s" % section_slug):
|
||||||
|
return access_not_permitted(request)
|
||||||
|
|
||||||
if not all([k in request.POST for k in ["proposal_pks", "subject", "body"]]):
|
if not all([k in request.POST for k in ["proposal_pks", "subject", "body"]]):
|
||||||
return HttpResponseBadRequest()
|
return HttpResponseBadRequest()
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue