From beefeb62cb525f3bdd62cf6307c48220698041c4 Mon Sep 17 00:00:00 2001
From: PCoder <purple.coder@yahoo.co.uk>
Date: Tue, 12 Dec 2017 09:38:08 +0100
Subject: [PATCH] Raise 404 for HostingOrder not belonging to user

---
 hosting/views.py | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/hosting/views.py b/hosting/views.py
index f6d0f0eb..1ac57c62 100644
--- a/hosting/views.py
+++ b/hosting/views.py
@@ -670,9 +670,16 @@ class OrdersHostingDetailView(LoginRequiredMixin,
     permission_required = ['view_hostingorder']
     model = HostingOrder
 
-    def get_object(self):
-        return HostingOrder.objects.get(
-            pk=self.kwargs.get('pk')) if self.kwargs.get('pk') else None
+    def get_object(self, queryset=None):
+        try:
+            hosting_order_obj = HostingOrder.objects.get(
+                pk=self.kwargs.get('pk')
+            )
+        except HostingOrder.DoesNotExist:
+            hosting_order_obj = None
+        if not self.request.user.has_perm(hosting_order_obj):
+            raise Http404
+        return hosting_order_obj
 
     def get_context_data(self, **kwargs):
         # Get context