Add permission check to AccountStatBalance

Only connected user can get its balance data
2017-04-02 17:14:36 +02:00 · 2017-04-02 17:14:36 +02:00 · 1ee993e1e1
parent 87b9db520f
commit 1ee993e1e1
1 changed files with 6 additions and 0 deletions
--- a/kfet/views.py
+++ b/kfet/views.py
@ -2260,6 +2260,12 @@ class AccountStatBalance(PkUrlMixin, JSONDetailView):
        # TODO: offset
        return context

+    def get_object(self, *args, **kwargs):
+        obj = super().get_object(*args, **kwargs)
+        if self.request.user != obj.user:
+            raise PermissionDenied
+        return obj
+
    @method_decorator(login_required)
    def dispatch(self, *args, **kwargs):
        return super(AccountStatBalance, self).dispatch(*args, **kwargs)