Render 404 when accessing /{request_id}/edit unauthorized or for non-…

…existing request
thegreenwebfoundation · Aug 24, 2023 · aba1e30 · aba1e30
1 parent 4bcbc8f
commit aba1e30
Showing 1 changed file with 20 additions and 1 deletion.
diff --git a/apps/accounts/views.py b/apps/accounts/views.py
@@ -8,7 +8,7 @@
 from django.contrib.auth.mixins import LoginRequiredMixin
 from django.contrib.sites.shortcuts import get_current_site
 from django.db.models.query import QuerySet
-from django.http import HttpResponseRedirect
+from django.http import HttpResponseRedirect, Http404
 from django.urls import reverse
 from django.utils.safestring import mark_safe
 from django.utils.encoding import force_text
@@ -272,6 +272,25 @@ class Steps(Enum):
         Steps.PREVIEW.value: "provider_registration/preview.html",
     }
 
+    def dispatch(self, request, *args, **kwargs):
+        request_id = kwargs.get("request_id")
+
+        # all users can access this view to create a new request
+        if not request_id:
+            return super().dispatch(request, *args, **kwargs)
+
+        # edit view can be only accessed for existing PRs
+        try:
+            pr = ProviderRequest.objects.get(id=request_id)
+        except ProviderRequest.DoesNotExist:
+            raise Http404("Page not found")
+
+        # only admins and creators can access for editing existing requests
+        if not request.user.is_admin or request.user.id != pr.created_by.id:
+            raise Http404("Page not found")
+
+        return super().dispatch(request, *args, **kwargs)
+
     def done(self, form_list, form_dict, **kwargs):
         """
         This method is called when all the forms are validated and submitted.