restrict to team even if malicious POST edit

2017-01-07 13:57:54 -02:00 · 2017-01-07 13:57:54 -02:00 · 7dc7d57a5e
parent fcf76b4af8
commit 7dc7d57a5e
1 changed files with 2 additions and 1 deletions
--- a/kfet/views.py
+++ b/kfet/views.py
@ -473,7 +473,8 @@ def account_update(request, trigramme):
                messages.success(request,
                                 'Vos informations ont été mises à jour')

-                if pwd_form.is_valid():
+                if request.user.has_perm('kfet.is_team') \
+                        and pwd_form.is_valid():
                    pwd = pwd_form.cleaned_data['pwd1']
                    pwd_sha256 = hashlib.sha256(pwd.encode('utf-8'))\
                                        .hexdigest()