aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Schadt <kingdread@gmx.de>2023-04-01 11:30:44 +0200
committerDaniel Schadt <kingdread@gmx.de>2023-04-01 11:30:44 +0200
commited0200a14a6bc54c25b2a82fd2fc9ed62f04ac94 (patch)
tree5842464363a8899e651eec3b30ad78ed48dcf61b
parent73561d641ddc52eeca438d100472820721c6a04e (diff)
downloadfietsboek-ed0200a14a6bc54c25b2a82fd2fc9ed62f04ac94.tar.gz
fietsboek-ed0200a14a6bc54c25b2a82fd2fc9ed62f04ac94.tar.bz2
fietsboek-ed0200a14a6bc54c25b2a82fd2fc9ed62f04ac94.zip
actually check permission for user profiles
Otherwise everyone can just access any profile.
-rw-r--r--fietsboek/views/profile.py3
1 files changed, 2 insertions, 1 deletions
diff --git a/fietsboek/views/profile.py b/fietsboek/views/profile.py
index 4d23ae4..81ec16d 100644
--- a/fietsboek/views/profile.py
+++ b/fietsboek/views/profile.py
@@ -113,6 +113,7 @@ def round_to_seconds(value: datetime.timedelta) -> datetime.timedelta:
route_name="profile",
renderer="fietsboek:templates/profile.jinja2",
request_method="GET",
+ permission="profile.view",
)
def profile(request: Request) -> dict:
"""Shows the profile page.
@@ -154,7 +155,7 @@ def profile(request: Request) -> dict:
}
-@view_config(route_name="user-tile", request_method="GET")
+@view_config(route_name="user-tile", request_method="GET", permission="profile.view")
def user_tile(request: Request) -> Response:
"""Returns a single tile from the user's own overlay maps.