From 6729180833b4d3ddf7c0cc37d840c1b15a583568 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Emilio=20A=2E=20S=C3=A1nchez=20L=C3=B3pez?=
 <esanchez@yaco.es>
Date: Fri, 24 Dec 2010 13:50:09 +0000
Subject: [PATCH] Do not allow access to other wg documents. Fixes #558  -
 Legacy-Id: 2735

---
 ietf/wgchairs/accounts.py | 9 ++++++++-
 ietf/wgchairs/views.py    | 7 +++++--
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/ietf/wgchairs/accounts.py b/ietf/wgchairs/accounts.py
index 6177cbca0..2f751c00a 100644
--- a/ietf/wgchairs/accounts.py
+++ b/ietf/wgchairs/accounts.py
@@ -22,7 +22,7 @@ def can_do_wg_workflow_in_document(user, document):
     person = get_person_for_user(user)
     if not person or not document.group:
         return False
-    return can_do_wg_workflow_in_group(document.group)
+    return can_do_wg_workflow_in_group(document.group.ietfwg)
 
 
 def can_manage_workflow_in_group(user, group):
@@ -44,3 +44,10 @@ def can_manage_shepherds_in_group(user, group):
     if not person:
         return False
     return is_group_chair(person, group)
+
+
+def can_manage_shepherd_of_a_document(user, document):
+    person = get_person_for_user(user)
+    if not person or not document.group:
+        return False
+    return can_manage_shepherds_in_group(user, document.group.ietfwg)
diff --git a/ietf/wgchairs/views.py b/ietf/wgchairs/views.py
index f147c1289..ce353e511 100644
--- a/ietf/wgchairs/views.py
+++ b/ietf/wgchairs/views.py
@@ -1,14 +1,15 @@
 from ietf.idtracker.models import IETFWG, InternetDraft, IESGLogin
 from django.shortcuts import get_object_or_404, render_to_response
 from django.template import RequestContext
-from django.http import HttpResponseForbidden
+from django.http import HttpResponseForbidden, Http404
 
 from ietf.idrfc.views_search import SearchForm, search_query
 from ietf.wgchairs.forms import (RemoveDelegateForm, add_form_factory,
                                  workflow_form_factory, TransitionFormSet)
 from ietf.wgchairs.accounts import (can_manage_delegates_in_group, get_person_for_user,
                                     can_manage_shepherds_in_group,
-                                    can_manage_workflow_in_group)
+                                    can_manage_workflow_in_group,
+                                    can_manage_shepherd_of_a_document)
 from ietf.ietfworkflows.utils import (get_workflow_for_wg,
                                       get_default_workflow_for_wg)
 
@@ -87,6 +88,8 @@ def managing_shepherd(request, acronym, name):
     if not can_manage_shepherds_in_group(user, wg):
         return HttpResponseForbidden('You have no permission to access this view')
     doc = get_object_or_404(InternetDraft, filename=name)
+    if not can_manage_shepherd_of_a_document(user, doc):
+        raise Http404
     add_form = add_form_factory(request, wg, user, shepherd=doc)
     if request.method == 'POST':
         if request.POST.get('remove_shepherd'):