From 24d85d5086e305d7e4f7ea72185584d08de446f9 Mon Sep 17 00:00:00 2001
From: "M.Ravi" <mondi.ravi@gmail.com>
Date: Tue, 12 Dec 2017 15:43:25 +0100
Subject: [PATCH] Check has_perm only for invoices

---
 hosting/views.py | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/hosting/views.py b/hosting/views.py
index 68f55433..2166f1dd 100644
--- a/hosting/views.py
+++ b/hosting/views.py
@@ -687,17 +687,6 @@ class OrdersHostingDetailView(LoginRequiredMixin,
                 order_id=order_id
             ))
             hosting_order_obj = None
-        if not self.request.user.has_perm(
-                self.permission_required[0], hosting_order_obj
-        ):
-            logger.debug(
-                "User {user} does not have permission on HostingOrder "
-                "{order_id}. Raising 404 error now.".format(
-                    user=self.request.user.email,
-                    order_id=order_id if hosting_order_obj else 'None'
-                )
-            )
-            raise Http404
         return hosting_order_obj
 
     def get_context_data(self, **kwargs):
@@ -718,6 +707,17 @@ class OrdersHostingDetailView(LoginRequiredMixin,
             context['page_header_text'] = _('Confirm Order')
         else:
             context['page_header_text'] = _('Invoice')
+            if not self.request.user.has_perm(
+                    self.permission_required[0], obj
+            ):
+                logger.debug(
+                    "User {user} does not have permission on HostingOrder "
+                    "{order_id}. Raising 404 error now.".format(
+                        user=self.request.user.email,
+                        order_id=obj.id if obj else 'None'
+                    )
+                )
+                raise Http404
 
         if obj is not None:
             # invoice for previous order