contacts: limit search view to appropriate users (#10469)

2016-03-29 14:54:28 +02:00 · 2016-03-29 14:54:28 +02:00 · f87a3e4638
parent ec45247f64
commit f87a3e4638
1 changed files with 9 additions and 0 deletions
--- a/welco/contacts/views.py
+++ b/welco/contacts/views.py
@ -22,6 +22,7 @@ import time
 from django import template
 from django.conf import settings
 from django.contrib.contenttypes.models import ContentType
+from django.core.exceptions import PermissionDenied
 from django.http import HttpResponse
 from django.template import RequestContext
 from django.views.decorators.csrf import csrf_exempt
@ -67,6 +68,14 @@ zone = csrf_exempt(ContactsZone.as_view())


 def search_json(request):
+    user_groups = set([x.name for x in request.user.groups.all()])
+    for channel in settings.CHANNEL_ROLES:
+        channel_groups = set(settings.CHANNEL_ROLES[channel])
+        if user_groups.intersection(channel_groups):
+            break
+    else:
+        raise PermissionDenied()
+
    query = request.GET.get('q')
    if query:
        result = get_wcs_data('api/users/', {'q': query, 'limit': 10})