From: Jan Szejko Date: Mon, 28 Nov 2016 16:37:49 +0000 (+0100) Subject: Merge remote-tracking branch 'origin/production' into production X-Git-Url: https://git.mdrn.pl/redakcja.git/commitdiff_plain/e08b9a9ce539493a925abad05a1a2900aa80583e?hp=a06e4a375f8fc89372b2f487ded10be3e1b1ceac Merge remote-tracking branch 'origin/production' into production --- diff --git a/apps/catalogue/urls.py b/apps/catalogue/urls.py index 7989d2ad..83ee0e26 100644 --- a/apps/catalogue/urls.py +++ b/apps/catalogue/urls.py @@ -33,9 +33,7 @@ urlpatterns = patterns('catalogue.views', url(r'^book/(?P[^/]+)/publish$', 'publish', name="catalogue_publish"), url(r'^book/(?P[^/]+)/$', 'book', name="catalogue_book"), - url(r'^book/(?P[^/]+)/gallery/$', - permission_required('catalogue.change_book')(GalleryView.as_view()), - name="catalogue_book_gallery"), + url(r'^book/(?P[^/]+)/gallery/$', GalleryView.as_view(), name="catalogue_book_gallery"), url(r'^book/(?P[^/]+)/xml$', 'book_xml', name="catalogue_book_xml"), url(r'^book/(?P[^/]+)/txt$', 'book_txt', name="catalogue_book_txt"), url(r'^book/(?P[^/]+)/html$', 'book_html', name="catalogue_book_html"), diff --git a/apps/catalogue/views.py b/apps/catalogue/views.py index b30297cd..22aeffe8 100644 --- a/apps/catalogue/views.py +++ b/apps/catalogue/views.py @@ -587,6 +587,8 @@ def publish_image(request, slug): class GalleryView(UploadView): def get_object(self, request, slug): book = get_object_or_404(Book, slug=slug) + if not book.public and not request.user.has_perm('catalogue.change_book'): + return HttpResponseForbidden() if not book.gallery: raise Http404 return book