nofusscomputing/centurion_erp
1
0
Fork 0
Code Issues Wiki Activity

fix(user_token): conduct user check on token view access

Browse Source 
!34 #63
This commit is contained in:
Jon Lockwood
2024-06-30 16:05:31 +09:30
parent 4d3a238583
commit 6cfcf1580c
1 changed files with 20 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
app/settings/views/user_settings.py
View File

@ -126,6 +126,26 @@ class TokenDelete(OrganizationPermission, generic.DeleteView):
template_name = 'form.html.j2'
def delete(self, request, *args, **kwargs):
if self.request.user.id != self.kwargs['user_id']:
raise PermissionDenied()
return None
return super().delete(request, *args, **kwargs)
def post(self, request, *args, **kwargs):
if self.request.user.id != self.kwargs['user_id']:
raise PermissionDenied()
return None
return super().post(request, *args, **kwargs)
def get_success_url(self, **kwargs):
return reverse('_settings_user', args=(self.kwargs['user_id'],))