From 1ee993e1e11a0318de6ae1251eb57e30655c3c91 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Delobelle?= <aurelien.delobelle@gmail.com>
Date: Sun, 2 Apr 2017 17:14:36 +0200
Subject: [PATCH] Add permission check to AccountStatBalance

Only connected user can get its balance data
---
 kfet/views.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/kfet/views.py b/kfet/views.py
index b0c90083..58413d80 100644
--- a/kfet/views.py
+++ b/kfet/views.py
@@ -2260,6 +2260,12 @@ class AccountStatBalance(PkUrlMixin, JSONDetailView):
         # TODO: offset
         return context
 
+    def get_object(self, *args, **kwargs):
+        obj = super().get_object(*args, **kwargs)
+        if self.request.user != obj.user:
+            raise PermissionDenied
+        return obj
+
     @method_decorator(login_required)
     def dispatch(self, *args, **kwargs):
         return super(AccountStatBalance, self).dispatch(*args, **kwargs)