Changes user to username; restricts outside users

MIT-LCP · Feb 19, 2021 · fbbad17 · fbbad17
1 parent 57a1873
commit fbbad17
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 5 deletions.
diff --git a/physionet-django/user/urls.py b/physionet-django/user/urls.py
@@ -38,7 +38,7 @@
     path('settings/credentialing/', views.edit_credentialing, name='edit_credentialing'),
     path('settings/credentialing/applications/',
         views.user_credential_applications, name='user_credential_applications'),
-    path('settings/credentialing/applications/<user>/',
+    path('settings/credentialing/applications/<username>/',
         views.user_credential_applications, name='user_credential_applications'),
     path('settings/agreements/', views.view_agreements, name='edit_agreements'),
     path('settings/agreements/<id>/',

diff --git a/physionet-django/user/views.py b/physionet-django/user/views.py
@@ -16,7 +16,7 @@
 from django.db import IntegrityError
 from django.forms import inlineformset_factory, HiddenInput, CheckboxInput
 from django.http import HttpResponse, Http404, HttpResponseRedirect
-from django.shortcuts import redirect, render
+from django.shortcuts import redirect, render, get_object_or_404
 from django.template import loader
 from django.urls import reverse, reverse_lazy
 from django.utils import timezone
@@ -573,12 +573,15 @@ def edit_credentialing(request):
 
 
 @login_required
-def user_credential_applications(request, user=None):
+def user_credential_applications(request, username=None):
     """
     All the credential applications made by a user
     """
-    if user:
-        request_user = User.objects.filter(username=user)[0]
+    if username:
+        if request.user.is_admin or (request.user == username):
+            request_user = get_object_or_404(User, username__iexact=username)
+        else:
+            raise Http404()
     else:
         request_user = request.user
     applications = CredentialApplication.objects.filter(