From ed0200a14a6bc54c25b2a82fd2fc9ed62f04ac94 Mon Sep 17 00:00:00 2001
From: Daniel Schadt <kingdread@gmx.de>
Date: Sat, 1 Apr 2023 11:30:44 +0200
Subject: actually check permission for user profiles

Otherwise everyone can just access any profile.
---
 fietsboek/views/profile.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fietsboek/views/profile.py b/fietsboek/views/profile.py
index 4d23ae4..81ec16d 100644
--- a/fietsboek/views/profile.py
+++ b/fietsboek/views/profile.py
@@ -113,6 +113,7 @@ def round_to_seconds(value: datetime.timedelta) -> datetime.timedelta:
     route_name="profile",
     renderer="fietsboek:templates/profile.jinja2",
     request_method="GET",
+    permission="profile.view",
 )
 def profile(request: Request) -> dict:
     """Shows the profile page.
@@ -154,7 +155,7 @@ def profile(request: Request) -> dict:
     }
 
 
-@view_config(route_name="user-tile", request_method="GET")
+@view_config(route_name="user-tile", request_method="GET", permission="profile.view")
 def user_tile(request: Request) -> Response:
     """Returns a single tile from the user's own overlay maps.
 
-- 
cgit v1.2.3