diff --git a/Changelog b/Changelog index 6b8b1370..d3c2c549 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,7 @@ Next: * #3911: [dcl] Integrate resend activation link into dcl landing payment page * #3972: [hosting] Add ungleich company info to invoice footer + * #3974: [hosting] Improve invoice number: Show 404 for invoice resources that do not belong to the user 1.2.13: 2017-12-09 * [cms] Introduce UngleichHeaderBackgroundImageAndTextSliderPlugin that allows to have scrolling images and texts * [cms] Remove

tag for ungleich cms customer item template diff --git a/hosting/views.py b/hosting/views.py index f6d0f0eb..978abf28 100644 --- a/hosting/views.py +++ b/hosting/views.py @@ -670,13 +670,25 @@ class OrdersHostingDetailView(LoginRequiredMixin, permission_required = ['view_hostingorder'] model = HostingOrder - def get_object(self): - return HostingOrder.objects.get( - pk=self.kwargs.get('pk')) if self.kwargs.get('pk') else None + def get_object(self, queryset=None): + order_id = self.kwargs.get('pk') + try: + hosting_order_obj = HostingOrder.objects.get(pk=order_id) + logger.debug("Found HostingOrder for id {order_id}".format( + order_id=order_id + )) + except HostingOrder.DoesNotExist: + logger.debug("HostingOrder not found for id {order_id}".format( + order_id=order_id + )) + hosting_order_obj = None + return hosting_order_obj def get_context_data(self, **kwargs): # Get context - context = super(DetailView, self).get_context_data(**kwargs) + context = super( + OrdersHostingDetailView, self + ).get_context_data(**kwargs) obj = self.get_object() owner = self.request.user stripe_api_cus_id = self.request.session.get('customer') @@ -690,6 +702,17 @@ class OrdersHostingDetailView(LoginRequiredMixin, context['page_header_text'] = _('Confirm Order') else: context['page_header_text'] = _('Invoice') + if not self.request.user.has_perm( + self.permission_required[0], obj + ): + logger.debug( + "User {user} does not have permission on HostingOrder " + "{order_id}. Raising 404 error now.".format( + user=self.request.user.email, + order_id=obj.id if obj else 'None' + ) + ) + raise Http404 if obj is not None: # invoice for previous order diff --git a/ungleich_page/locale/de/LC_MESSAGES/django.po b/ungleich_page/locale/de/LC_MESSAGES/django.po index 873bb0df..affd285d 100644 --- a/ungleich_page/locale/de/LC_MESSAGES/django.po +++ b/ungleich_page/locale/de/LC_MESSAGES/django.po @@ -22,7 +22,7 @@ msgid "Glasfaser menu" msgstr "" msgid "\"Sorry, we could not find the page you are looking for!\"" -msgstr "" +msgstr "\"Leider konnten wir die von dir gesuchte Seite nicht finden!\"" msgid "Toggle navigation" msgstr "Umschalten"