Do not allow access to other wg documents. Fixes #558

- Legacy-Id: 2735
2010-12-24 13:50:09 +00:00 · 2010-12-24 13:50:09 +00:00 · 6729180833
parent 61697ed096
commit 6729180833
2 changed files with 13 additions and 3 deletions
--- a/ietf/wgchairs/accounts.py
+++ b/ietf/wgchairs/accounts.py
@ -22,7 +22,7 @@ def can_do_wg_workflow_in_document(user, document):
    person = get_person_for_user(user)
    if not person or not document.group:
        return False
-    return can_do_wg_workflow_in_group(document.group)
+    return can_do_wg_workflow_in_group(document.group.ietfwg)


 def can_manage_workflow_in_group(user, group):
@ -44,3 +44,10 @@ def can_manage_shepherds_in_group(user, group):
    if not person:
        return False
    return is_group_chair(person, group)
+
+
+def can_manage_shepherd_of_a_document(user, document):
+    person = get_person_for_user(user)
+    if not person or not document.group:
+        return False
+    return can_manage_shepherds_in_group(user, document.group.ietfwg)
--- a/ietf/wgchairs/views.py
+++ b/ietf/wgchairs/views.py
@ -1,14 +1,15 @@
 from ietf.idtracker.models import IETFWG, InternetDraft, IESGLogin
 from django.shortcuts import get_object_or_404, render_to_response
 from django.template import RequestContext
-from django.http import HttpResponseForbidden
+from django.http import HttpResponseForbidden, Http404

 from ietf.idrfc.views_search import SearchForm, search_query
 from ietf.wgchairs.forms import (RemoveDelegateForm, add_form_factory,
                                 workflow_form_factory, TransitionFormSet)
 from ietf.wgchairs.accounts import (can_manage_delegates_in_group, get_person_for_user,
                                    can_manage_shepherds_in_group,
-                                    can_manage_workflow_in_group)
+                                    can_manage_workflow_in_group,
+                                    can_manage_shepherd_of_a_document)
 from ietf.ietfworkflows.utils import (get_workflow_for_wg,
                                      get_default_workflow_for_wg)

@ -87,6 +88,8 @@ def managing_shepherd(request, acronym, name):
    if not can_manage_shepherds_in_group(user, wg):
        return HttpResponseForbidden('You have no permission to access this view')
    doc = get_object_or_404(InternetDraft, filename=name)
+    if not can_manage_shepherd_of_a_document(user, doc):
+        raise Http404
    add_form = add_form_factory(request, wg, user, shepherd=doc)
    if request.method == 'POST':
        if request.POST.get('remove_shepherd'):