[Branch,~linaro-validation/lava-scheduler/trunk] Rev 178: return a 403 not a 404 when viewing a job you are not permitted to see

Message ID 20120614054211.26921.91619.launchpad@ackee.canonical.com
State Accepted
Headers show

Commit Message

Michael-Doyle Hudson June 14, 2012, 5:42 a.m.
Merge authors:
  Michael Hudson-Doyle (mwhudson)
Related merge proposals:
  https://code.launchpad.net/~mwhudson/lava-scheduler/http-403-on-private-job-bug-1003817/+merge/107329
  proposed by: Michael Hudson-Doyle (mwhudson)
  review: Approve - Andy Doan (doanac)
------------------------------------------------------------
revno: 178 [merge]
committer: Michael Hudson-Doyle <michael.hudson@linaro.org>
branch nick: trunk
timestamp: Thu 2012-06-14 17:40:46 +1200
message:
  return a 403 not a 404 when viewing a job you are not permitted to see
modified:
  lava_scheduler_app/views.py


--
lp:lava-scheduler
https://code.launchpad.net/~linaro-validation/lava-scheduler/trunk

You are subscribed to branch lp:lava-scheduler.
To unsubscribe from this branch go to https://code.launchpad.net/~linaro-validation/lava-scheduler/trunk/+edit-subscription

Patch

=== modified file 'lava_scheduler_app/views.py'
--- lava_scheduler_app/views.py	2012-06-04 21:09:38 +0000
+++ lava_scheduler_app/views.py	2012-06-14 05:28:44 +0000
@@ -7,6 +7,7 @@ 
 from dateutil.relativedelta import relativedelta
 
 from django.conf import settings
+from django.core.exceptions import PermissionDenied
 from django.core.urlresolvers import reverse
 from django.db.models import Count
 from django.http import (
@@ -207,8 +208,10 @@ 
         RequestContext(request))
 
 def get_restricted_job(user, pk):
-    return get_object_or_404(
-        TestJob.objects.accessible_by_principal(user), pk=pk)
+    job =  get_object_or_404(TestJob.objects, pk=pk)
+    if not job.is_accessible_by(user):
+        raise PermissionDenied()
+    return job
 
 class DeviceTypeTable(DataTablesTable):