From 40ceb9a15247a1052cebd56e78899dcca8c553eb Mon Sep 17 00:00:00 2001
From: lispyclouds <rahul080327@gmail.com>
Date: Tue, 14 Feb 2017 08:17:17 +0530
Subject: [PATCH] Deny access to non-admin users to other's pages

- This checks that the user making the request is the same user as the
  one logged in and prevents access to the pages of other users if its
  not admin
---
 plinth/modules/users/views.py | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/plinth/modules/users/views.py b/plinth/modules/users/views.py
index e90e30911..f431a02eb 100644
--- a/plinth/modules/users/views.py
+++ b/plinth/modules/users/views.py
@@ -19,6 +19,7 @@ from django.contrib import messages
 from django.contrib.auth import update_session_auth_hash
 from django.contrib.auth.models import User
 from django.contrib.messages.views import SuccessMessageMixin
+from django.core.exceptions import PermissionDenied
 from django.urls import reverse, reverse_lazy
 from django.views.generic.edit import (CreateView, DeleteView, UpdateView,
                                        FormView)
@@ -80,6 +81,13 @@ class UserUpdate(ContextMixin, SuccessMessageMixin, UpdateView):
     success_message = ugettext_lazy('User %(username)s updated.')
     title = ugettext_lazy('Edit User')
 
+    def dispatch(self, request, *args, **kwargs):
+        if self.request.user.get_username() != self.kwargs['slug'] \
+                and not self.request.user.groups.filter(name='admin').exists():
+            raise PermissionDenied
+
+        return super(UserUpdate, self).dispatch(request, *args, **kwargs)
+
     def get_form_kwargs(self):
         """Make the requst object available to the form."""
         kwargs = super(UserUpdate, self).get_form_kwargs()
@@ -143,6 +151,13 @@ class UserChangePassword(ContextMixin, SuccessMessageMixin, FormView):
     title = ugettext_lazy('Change Password')
     success_message = ugettext_lazy('Password changed successfully.')
 
+    def dispatch(self, request, *args, **kwargs):
+        if self.request.user.get_username() != self.kwargs['slug'] \
+                and not self.request.user.groups.filter(name='admin').exists():
+            raise PermissionDenied
+
+        return super(UserChangePassword, self).dispatch(request, *args, **kwargs)
+
     def get_form_kwargs(self):
         """Make the user object available to the form."""
         kwargs = super(UserChangePassword, self).get_form_kwargs()