Merge remote-tracking branch 'origin/production' into production
authorJan Szejko <janek37@gmail.com>
Mon, 28 Nov 2016 16:37:49 +0000 (17:37 +0100)
committerJan Szejko <janek37@gmail.com>
Mon, 28 Nov 2016 16:37:49 +0000 (17:37 +0100)
apps/catalogue/urls.py
apps/catalogue/views.py

index 7989d2a..83ee0e2 100644 (file)
@@ -33,9 +33,7 @@ urlpatterns = patterns('catalogue.views',
     url(r'^book/(?P<slug>[^/]+)/publish$', 'publish', name="catalogue_publish"),
 
     url(r'^book/(?P<slug>[^/]+)/$', 'book', name="catalogue_book"),
-    url(r'^book/(?P<slug>[^/]+)/gallery/$',
-            permission_required('catalogue.change_book')(GalleryView.as_view()),
-            name="catalogue_book_gallery"),
+    url(r'^book/(?P<slug>[^/]+)/gallery/$', GalleryView.as_view(), name="catalogue_book_gallery"),
     url(r'^book/(?P<slug>[^/]+)/xml$', 'book_xml', name="catalogue_book_xml"),
     url(r'^book/(?P<slug>[^/]+)/txt$', 'book_txt', name="catalogue_book_txt"),
     url(r'^book/(?P<slug>[^/]+)/html$', 'book_html', name="catalogue_book_html"),
index b30297c..22aeffe 100644 (file)
@@ -587,6 +587,8 @@ def publish_image(request, slug):
 class GalleryView(UploadView):
     def get_object(self, request, slug):
         book = get_object_or_404(Book, slug=slug)
+        if not book.public and not request.user.has_perm('catalogue.change_book'):
+            return HttpResponseForbidden()
         if not book.gallery:
             raise Http404
         return book