From 8906541ccda592d4e3c3d21618fb34f662916aa0 Mon Sep 17 00:00:00 2001
From: Jan Szejko <janek37@gmail.com>
Date: Fri, 26 May 2017 12:12:49 +0200
Subject: [PATCH] don't allow download xml for non-public books

---
 apps/catalogue/views.py | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/apps/catalogue/views.py b/apps/catalogue/views.py
index c6ae4197..e6f6cca7 100644
--- a/apps/catalogue/views.py
+++ b/apps/catalogue/views.py
@@ -205,6 +205,8 @@ def upload(request):
 
 
 def serve_xml(request, book, slug):
+    if not book.accessible(request):
+        return HttpResponseForbidden("Not authorized.")
     xml = book.materialize(publishable=True)
     response = http.HttpResponse(xml, content_type='application/xml')
     response['Content-Disposition'] = 'attachment; filename=%s.xml' % slug
@@ -214,14 +216,11 @@ def serve_xml(request, book, slug):
 @never_cache
 def book_xml(request, slug):
     book = get_object_or_404(Book, slug=slug)
-    if not book.accessible(request):
-        return HttpResponseForbidden("Not authorized.")
     return serve_xml(request, book, slug)
 
 
 @never_cache
 def book_xml_dc(request, slug):
-    # no permission check, because non-public books
     book = get_object_or_404(Book, dc_slug=slug)
     return serve_xml(request, book, slug)
 
-- 
2.20.1