don't allow download xml for non-public books

author Jan Szejko <janek37@gmail.com>

Fri, 26 May 2017 10:12:49 +0000 (12:12 +0200)

committer Jan Szejko <janek37@gmail.com>

Fri, 26 May 2017 10:12:49 +0000 (12:12 +0200)
author Jan Szejko <janek37@gmail.com>
Fri, 26 May 2017 10:12:49 +0000 (12:12 +0200)
committer Jan Szejko <janek37@gmail.com>
Fri, 26 May 2017 10:12:49 +0000 (12:12 +0200)
diff --git a/apps/catalogue/views.py b/apps/catalogue/views.py

index c6ae419..e6f6cca 100644 (file)
--- a/apps/catalogue/views.py
+++ b/apps/catalogue/views.py
@@ -205,6 +205,8 @@ def upload(request):
  
  
  def serve_xml(request, book, slug):
+    if not book.accessible(request):
+        return HttpResponseForbidden("Not authorized.")
      xml = book.materialize(publishable=True)
      response = http.HttpResponse(xml, content_type='application/xml')
      response['Content-Disposition'] = 'attachment; filename=%s.xml' % slug
@@ -214,14 +216,11 @@ def serve_xml(request, book, slug):
  @never_cache
  def book_xml(request, slug):
      book = get_object_or_404(Book, slug=slug)
-    if not book.accessible(request):
-        return HttpResponseForbidden("Not authorized.")
      return serve_xml(request, book, slug)
  
  
  @never_cache
  def book_xml_dc(request, slug):
-    # no permission check, because non-public books
      book = get_object_or_404(Book, dc_slug=slug)
      return serve_xml(request, book, slug)
author	Jan Szejko <janek37@gmail.com>
	Fri, 26 May 2017 10:12:49 +0000 (12:12 +0200)
committer	Jan Szejko <janek37@gmail.com>
	Fri, 26 May 2017 10:12:49 +0000 (12:12 +0200)