From 570107dbf16e38286a168cf6abc1d3a5c02b46b5 Mon Sep 17 00:00:00 2001
From: Russ Housley <housley@vigilsec.com>
Date: Sat, 2 Apr 2016 17:21:08 +0000
Subject: [PATCH] Only the Secretariat can see the history for parked IPR
 statements. Fixes #1922.  - Legacy-Id: 11070

---
 ietf/ipr/views.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/ietf/ipr/views.py b/ietf/ipr/views.py
index 6de21b37f..a58191fef 100644
--- a/ietf/ipr/views.py
+++ b/ietf/ipr/views.py
@@ -370,6 +370,11 @@ def email(request, id):
 def history(request, id):
     """Show the history for a specific IPR disclosure"""
     ipr = get_object_or_404(IprDisclosureBase, id=id).get_child()
+
+    if not has_role(request.user, 'Secretariat'):
+        if ipr.state.slug != 'posted':
+            raise Http404
+
     events = ipr.iprevent_set.all().order_by("-time", "-id").select_related("by")
     if not has_role(request.user, "Secretariat"):
         events = events.exclude(type='private_comment')