Merged in [11070] from housley@vigilsec.com:

Only the Secretariat can see the history for parked IPR statements. Fixes #1922. - Legacy-Id: 11086 Note: SVN reference [11070] has been migrated to Git commit 570107dbf1
2016-04-03 13:35:45 +00:00 · 2016-04-03 13:35:45 +00:00 · eabc7b2c76
parent 2c4efd1e25
commit eabc7b2c76
1 changed files with 5 additions and 0 deletions
--- a/ietf/ipr/views.py
+++ b/ietf/ipr/views.py
@ -370,6 +370,11 @@ def email(request, id):
 def history(request, id):
    """Show the history for a specific IPR disclosure"""
    ipr = get_object_or_404(IprDisclosureBase, id=id).get_child()
+
+    if not has_role(request.user, 'Secretariat'):
+        if ipr.state.slug != 'posted':
+            raise Http404
+
    events = ipr.iprevent_set.all().order_by("-time", "-id").select_related("by")
    if not has_role(request.user, "Secretariat"):
        events = events.exclude(type='private_comment')