From d7cd9b10eb5d8a6bd19c5bb8c358156566bf89b7 Mon Sep 17 00:00:00 2001
From: Andrew Williams <andy@tensixtyone.com>
Date: Fri, 29 Oct 2010 12:54:16 +0100
Subject: [PATCH] Stop anyone requesting refreshes

---
 sso/views.py | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/sso/views.py b/sso/views.py
index 8a5ab36..5a1a8e0 100644
--- a/sso/views.py
+++ b/sso/views.py
@@ -104,14 +104,15 @@ def eveapi_refresh(request, userid=0):
         except EVEAccount.DoesNotExist:
             pass
         else:
-            import_eve_account(acc.api_key, acc.api_user_id, force_cache=True)
-            request.user.get_profile().update_access()
+            if acc.user == request.user or request.user.is_superuser:
+                import_eve_account(acc.api_key, acc.api_user_id, force_cache=True)
+                request.user.get_profile().update_access()
 
-            if request.is_ajax():
-                acc = EVEAccount.objects.get(id=userid)
-                return HttpResponse(serializers.serialize('json', [acc]), mimetype='application/javascript')
-            else:
-                request.user.message_set.create(message="Key %s has been refreshed from the EVE API." % acc.api_user_id)
+                if request.is_ajax():
+                    acc = EVEAccount.objects.get(id=userid)
+                    return HttpResponse(serializers.serialize('json', [acc]), mimetype='application/javascript')
+                else:
+                    request.user.message_set.create(message="Key %s has been refreshed from the EVE API." % acc.api_user_id)
 
     return HttpResponseRedirect(reverse('sso.views.profile'))