From 3ce760b4042fe302b0d79807d82a4542d3b86e83 Mon Sep 17 00:00:00 2001
From: Jakub Kadlčík <frostyx@email.cz>
Date: Jun 04 2018 15:59:00 +0000
Subject: [frontend] protect the user information page


---

diff --git a/frontend/coprs_frontend/coprs/views/coprs_ns/coprs_general.py b/frontend/coprs_frontend/coprs/views/coprs_ns/coprs_general.py
index 1fce949..fd53e61 100644
--- a/frontend/coprs_frontend/coprs/views/coprs_ns/coprs_general.py
+++ b/frontend/coprs_frontend/coprs/views/coprs_ns/coprs_general.py
@@ -119,6 +119,9 @@ def coprs_by_user(username=None, page=1):
 
 @coprs_ns.route("/<username>/info")
 def user_info(username):
+    if not flask.g.user or flask.g.user.name != username:
+        raise ValidationError("You are not allowed to see personal information of another user.")
+
     user = users_logic.UsersLogic.get(username).first()
     graph = builds_logic.BuildsLogic.get_running_tasks_from_last_day()
     return flask.render_template("user_info.html",