prevent non-superusers from going to other user profile page

TOMToolkit · Nov 19, 2024 · 3d22539 · 3d22539
1 parent 6ca6e3c
commit 3d22539
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/tom_common/templates/tom_common/user_profile.html b/tom_common/templates/tom_common/user_profile.html
@@ -15,10 +15,8 @@ <h3>
     <div class="row">
         <div class="col-lg">
             {% user_data user %}
-            {% user_data user %}
         </div>
         <div class="col-lg">
-            {% user_data user %}
         </div>
     </div>
 </div>

diff --git a/tom_common/views.py b/tom_common/views.py
@@ -89,6 +89,16 @@ class UserDetailView(LoginRequiredMixin, DetailView):
     template_name = 'tom_common/user_profile.html'
     model = User
 
+    def dispatch(self, *args, **kwargs):
+        """
+        Directs the class-based view to the correct method for the HTTP request method. Ensures that non-superusers
+        are not incorrectly updating the profiles of other users.
+        """
+        if not self.request.user.is_superuser and self.request.user.id != self.kwargs['pk']:
+            return redirect('user-profile', self.request.user.id)
+        else:
+            return super().dispatch(*args, **kwargs)
+
 
 class UserPasswordChangeView(SuperuserRequiredMixin, FormView):
     """