From ff0b0b487b69c62095e52b78792d68b5c19ee179 Mon Sep 17 00:00:00 2001 From: Andrew Williams Date: Sat, 1 Oct 2011 11:16:18 +0100 Subject: [PATCH] Do permission checking on blacklisting --- app/hr/views.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/app/hr/views.py b/app/hr/views.py index 27dfbda..c6b8ee0 100644 --- a/app/hr/views.py +++ b/app/hr/views.py @@ -323,8 +323,11 @@ class HrBlacklistUser(FormView): form_class = BlacklistUserForm def dispatch(self, request, *args, **kwargs): - self.blacklist_user = get_object_or_404(User, id=kwargs.get('userid')) - return super(HrBlacklistUser, self).dispatch(request, *args, **kwargs) + if request.user.has_perm('hr.add_blacklist'): + self.blacklist_user = get_object_or_404(User, id=kwargs.get('userid')) + return super(HrBlacklistUser, self).dispatch(request, *args, **kwargs) + else: + raise Http404 def get_context_data(self, **kwargs): context = super(HrBlacklistUser, self).get_context_data(**kwargs)