Guard against attempts to use the review request view with a ReviewRequest id that does not match the document for the ReviewRequest. This would have exposed #2776 much earlier. Commit ready for merge.

- Legacy-Id: 16649

ietf/doc/views_review.py

@@ -12,7 +12,7 @@ import email.utils
 
 import debug    # pyflakes:ignore
 
-from django.http import HttpResponseForbidden, JsonResponse
+from django.http import HttpResponseForbidden, JsonResponse, Http404
 from django.shortcuts import render, get_object_or_404, redirect
 from django import forms
 from django.conf import settings
@@ -186,6 +186,8 @@ def review_request_forced_login(request, name, request_id):
 def review_request(request, name, request_id):
     doc = get_object_or_404(Document, name=name)
     review_req = get_object_or_404(ReviewRequest, pk=request_id)
+    if review_req.doc != doc:
+        raise Http404('The indicated ReviewRequest is not a request for the indicated document')
 
     can_manage_request = can_manage_review_requests_for_team(request.user, review_req.team)
 

ietf/release/urls.py

@@ -14,6 +14,5 @@ urlpatterns = [
     url(r'^(?P<version>[0-9.]+.*)/$',  views.release),
     url(r'^about/?$',  TemplateView.as_view(template_name='release/about.html')),
     url(r'^stats/?$',  views.stats),
-    url(r'^todo/?$',  TemplateView.as_view(template_name='release/todo.html')),
 ]