actually check permission for user profiles

Otherwise everyone can just access any profile.
author: Daniel Schadt <kingdread@gmx.de> 2023-04-01 11:30:44 +0200
committer: Daniel Schadt <kingdread@gmx.de> 2023-04-01 11:30:44 +0200
commit: ed0200a14a6bc54c25b2a82fd2fc9ed62f04ac94 (patch)
tree: 5842464363a8899e651eec3b30ad78ed48dcf61b
parent: 73561d641ddc52eeca438d100472820721c6a04e (diff)
download: fietsboek-ed0200a14a6bc54c25b2a82fd2fc9ed62f04ac94.tar.gz
fietsboek-ed0200a14a6bc54c25b2a82fd2fc9ed62f04ac94.tar.bz2
fietsboek-ed0200a14a6bc54c25b2a82fd2fc9ed62f04ac94.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/fietsboek/views/profile.py b/fietsboek/views/profile.py
index 4d23ae4..81ec16d 100644
--- a/fietsboek/views/profile.py
+++ b/fietsboek/views/profile.py
@@ -113,6 +113,7 @@ def round_to_seconds(value: datetime.timedelta) -> datetime.timedelta:
     route_name="profile",
     renderer="fietsboek:templates/profile.jinja2",
     request_method="GET",
+    permission="profile.view",
 )
 def profile(request: Request) -> dict:
     """Shows the profile page.
@@ -154,7 +155,7 @@ def profile(request: Request) -> dict:
     }
 
 
-@view_config(route_name="user-tile", request_method="GET")
+@view_config(route_name="user-tile", request_method="GET", permission="profile.view")
 def user_tile(request: Request) -> Response:
     """Returns a single tile from the user's own overlay maps.
author	Daniel Schadt <kingdread@gmx.de>	2023-04-01 11:30:44 +0200
committer	Daniel Schadt <kingdread@gmx.de>	2023-04-01 11:30:44 +0200
commit	ed0200a14a6bc54c25b2a82fd2fc9ed62f04ac94 (patch)
tree	5842464363a8899e651eec3b30ad78ed48dcf61b
parent	73561d641ddc52eeca438d100472820721c6a04e (diff)
download	fietsboek-ed0200a14a6bc54c25b2a82fd2fc9ed62f04ac94.tar.gz fietsboek-ed0200a14a6bc54c25b2a82fd2fc9ed62f04ac94.tar.bz2 fietsboek-ed0200a14a6bc54c25b2a82fd2fc9ed62f04ac94.zip