From 8787e5e708f87c866b154404f2438500a93f22b1 Mon Sep 17 00:00:00 2001 From: klmp200 Date: Tue, 28 Mar 2017 14:39:52 +0200 Subject: [PATCH] Better protection for stats --- core/views/user.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/core/views/user.py b/core/views/user.py index 63bccc4e..025d516f 100644 --- a/core/views/user.py +++ b/core/views/user.py @@ -265,7 +265,13 @@ class UserStatsView(UserTabsMixin, CanViewMixin, DetailView): def dispatch(self, request, *arg, **kwargs): profile = self.get_object() - if (profile != request.user and not request.user.is_root): + if not hasattr(profile, "customer"): + raise Http404 + + if not (profile == request.user + or request.user.is_in_group(settings.SITH_GROUP_ACCOUNTING_ADMIN_ID) + or request.user.is_in_group(settings.SITH_BAR_MANAGER['unix_name']+settings.SITH_BOARD_SUFFIX) + or request.user.is_root): raise PermissionDenied return super(UserStatsView, self).dispatch(request, *arg, **kwargs)