do not allow unauthenticated access to unlink page (fixes #22405)

2018-03-09 13:30:29 +01:00 · 2018-03-09 13:30:29 +01:00 · d8f8257987
parent afa48159bb
commit d8f8257987
1 changed files with 2 additions and 0 deletions
--- a/src/authentic2_auth_fc/views.py
+++ b/src/authentic2_auth_fc/views.py
@ -488,6 +488,8 @@ class UnlinkView(LoggerMixin, FormView):
        return kwargs

    def dispatch(self, request, *args, **kwargs):
+        if not request.user.is_authenticated():
+            raise PermissionDenied()
        # We prevent unlinking if the user has no usable password and can't change it
        # because we assume that the password is the unique other mean of authentication
        # and unlinking would make the account unreachable.