From: Jan Szejko Date: Fri, 26 May 2017 10:12:49 +0000 (+0200) Subject: don't allow download xml for non-public books X-Git-Url: https://git.mdrn.pl/redakcja.git/commitdiff_plain/8906541ccda592d4e3c3d21618fb34f662916aa0?ds=sidebyside don't allow download xml for non-public books --- diff --git a/apps/catalogue/views.py b/apps/catalogue/views.py index c6ae4197..e6f6cca7 100644 --- a/apps/catalogue/views.py +++ b/apps/catalogue/views.py @@ -205,6 +205,8 @@ def upload(request): def serve_xml(request, book, slug): + if not book.accessible(request): + return HttpResponseForbidden("Not authorized.") xml = book.materialize(publishable=True) response = http.HttpResponse(xml, content_type='application/xml') response['Content-Disposition'] = 'attachment; filename=%s.xml' % slug @@ -214,14 +216,11 @@ def serve_xml(request, book, slug): @never_cache def book_xml(request, slug): book = get_object_or_404(Book, slug=slug) - if not book.accessible(request): - return HttpResponseForbidden("Not authorized.") return serve_xml(request, book, slug) @never_cache def book_xml_dc(request, slug): - # no permission check, because non-public books book = get_object_or_404(Book, dc_slug=slug) return serve_xml(request, book, slug)