forked from DGNum/gestioCOF
Add permission check to AccountStatBalance
Only connected user can get its balance data
This commit is contained in:
parent
87b9db520f
commit
1ee993e1e1
1 changed files with 6 additions and 0 deletions
|
@ -2260,6 +2260,12 @@ class AccountStatBalance(PkUrlMixin, JSONDetailView):
|
|||
# TODO: offset
|
||||
return context
|
||||
|
||||
def get_object(self, *args, **kwargs):
|
||||
obj = super().get_object(*args, **kwargs)
|
||||
if self.request.user != obj.user:
|
||||
raise PermissionDenied
|
||||
return obj
|
||||
|
||||
@method_decorator(login_required)
|
||||
def dispatch(self, *args, **kwargs):
|
||||
return super(AccountStatBalance, self).dispatch(*args, **kwargs)
|
||||
|
|
Loading…
Reference in a new issue