From 847b9ec8e22dcfd06894b9f238350106cd3d2512 Mon Sep 17 00:00:00 2001
From: Oliver Falk <oliver@linux-kernel.at>
Date: Mon, 12 Nov 2018 16:06:05 +0100
Subject: [PATCH] Do not allow logged in users to view all raw images

---
 ivatar/ivataraccount/views.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ivatar/ivataraccount/views.py b/ivatar/ivataraccount/views.py
index ad4b79a..d2961a5 100644
--- a/ivatar/ivataraccount/views.py
+++ b/ivatar/ivataraccount/views.py
@@ -415,6 +415,8 @@ class RawImageView(DetailView):
 
     def get(self, request, *args, **kwargs):
         photo = self.model.objects.get(pk=kwargs['pk'])  # pylint: disable=no-member
+        if not photo.user.id is request.user.id:
+            return HttpResponseRedirect(reverse_lazy('home'))
         return HttpResponse(
             BytesIO(photo.data), content_type='image/%s' % photo.format)