Commit ebf08333 authored by Daniel W Bond's avatar Daniel W Bond
Browse files

properly locking everything down

parent 9fe2f8f0
......@@ -6,7 +6,7 @@ from braces.views import LoginRequiredMixin
from django.contrib.auth.models import User
from core.models import Student
from django.http import Http404
from django.http import Http404, HttpResponseForbidden
from django.forms.widgets import HiddenInput
### VIEWS ###
......@@ -34,7 +34,17 @@ class DetailLookout(LoginRequiredMixin, DetailView):
context_object_name = 'lookout'
login_url = '/'
# remember, see all the lookouts on the homepage
def get_context_data(self, **kwargs):
context = super(DetailLookout, self).get_context_data(**kwargs)
me = Student.objects.get(user=self.request.user)
lookout_student = self.get_object().owner
if not(lookout_student == me):
return HttpResponseForbidden()
return context
# updating is not neccessary since it's just literally an isbn and a course
......@@ -49,6 +59,6 @@ class DeleteLookout(LoginRequiredMixin, DeleteView):
lookout_student = self.get_object().owner
if not(lookout_student == me):
raise Http404
return HttpResponseForbidden()
return context
......@@ -4,6 +4,8 @@ from core.models import Student
from django.views.generic import TemplateView
from braces.views import LoginRequiredMixin
from django.db.models import Sum
from collections import Counter
......@@ -17,7 +19,7 @@ class HomepageView(TemplateView):
context['lookouts'] = Lookout.objects.filter(owner=self.request.user.student)
return context
class ChartsView(TemplateView):
class ChartsView(LoginRequiredMixin, TemplateView):
template_name = 'charts.html'
def get_context_data(self, **kwargs):
......
......@@ -7,7 +7,7 @@ from django.views.generic import View, DetailView, ListView, CreateView, UpdateV
from braces.views import LoginRequiredMixin
from django.contrib.auth.models import User
from django.http import Http404
from django.http import Http404, HttpResponseForbidden
from django.forms.widgets import HiddenInput
from django.core.urlresolvers import reverse
......@@ -139,11 +139,12 @@ class CreateFlag(LoginRequiredMixin, CreateView):
# you can't flag your own listing
if (selling_student == me):
raise Http404
return HttpResponseForbidden()
# can only create a flag if you haven't previously created one
if not can_flag(me, selected_listing):
raise Http404
# because the page shouldn't exist in this scenario
raise Http404
context['listing'] = selected_listing
return context
......@@ -159,10 +160,11 @@ class DeleteFlag(LoginRequiredMixin, DeleteView):
context = super(DeleteFlag, self).get_context_data(**kwargs)
me = Student.objects.get(user=self.request.user)
flag_student = self.get_object().flagger.user
flag_student = self.get_object().flagger
#if not(requesting_student == flag_student):
# raise Http404
# if you didn't create the flag, you can't delete the flag
if not(me == flag_student):
return HttpResponseForbidden()
return context
......@@ -213,7 +215,7 @@ class EditListing(LoginRequiredMixin, UpdateView):
selling_student = self.get_object().seller
if not(selling_student == me):
raise Http404
return HttpResponseForbidden()
return context
......@@ -232,10 +234,11 @@ class SellListing(LoginRequiredMixin, UpdateView):
selling_student = self.get_object().seller
if not(selling_student == me):
raise Http404
return HttpResponseForbidden()
bid_count = Bid.objects.filter(listing=self.get_object).count()
if bid_count < 1:
# because the page shouldn't exist in this scenario
raise Http404
today = date.today()
......@@ -266,7 +269,7 @@ class UnSellListing(LoginRequiredMixin, UpdateView):
selling_student = self.get_object().seller
if not(selling_student == me):
raise Http404
return HttpResponseForbidden()
today = date.today()
......@@ -294,7 +297,7 @@ class CancelListing(LoginRequiredMixin, UpdateView):
selling_student = self.get_object().seller
if not(selling_student == me):
raise Http404
return HttpResponseForbidden()
today = date.today()
......@@ -321,7 +324,7 @@ class ReopenListing(LoginRequiredMixin, UpdateView):
selling_student = self.get_object().seller
if not(selling_student == me):
raise Http404
return HttpResponseForbidden()
form = ReopenListingForm(initial={'cancelled' : False})
form.fields['cancelled'].widget = HiddenInput()
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment