From 7dc7d57a5eabf8d9e1ba9c441afe824292e2c4a8 Mon Sep 17 00:00:00 2001
From: Ludovic Stephan <lstephan@clipper.ens.fr>
Date: Sat, 7 Jan 2017 13:57:54 -0200
Subject: [PATCH] restrict to team even if malicious POST edit

---
 kfet/views.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/kfet/views.py b/kfet/views.py
index c0f90034..0a8771d7 100644
--- a/kfet/views.py
+++ b/kfet/views.py
@@ -473,7 +473,8 @@ def account_update(request, trigramme):
                 messages.success(request,
                                  'Vos informations ont été mises à jour')
 
-                if pwd_form.is_valid():
+                if request.user.has_perm('kfet.is_team') \
+                        and pwd_form.is_valid():
                     pwd = pwd_form.cleaned_data['pwd1']
                     pwd_sha256 = hashlib.sha256(pwd.encode('utf-8'))\
                                         .hexdigest()