From 94c3ab1e41c68de209ffe20a33db8ae8c30edb0d Mon Sep 17 00:00:00 2001 From: Oliver Falk Date: Fri, 2 Aug 2019 11:55:02 +0200 Subject: [PATCH] Allow staff (is_staff) to view other peoples raw images as well as their profile, by appending the username to the profile url - for support reasons --- ivatar/ivataraccount/urls.py | 1 + ivatar/ivataraccount/views.py | 11 ++++++++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/ivatar/ivataraccount/urls.py b/ivatar/ivataraccount/urls.py index 57b679d..8bf4420 100644 --- a/ivatar/ivataraccount/urls.py +++ b/ivatar/ivataraccount/urls.py @@ -63,6 +63,7 @@ urlpatterns = [ # pylint: disable=invalid-name ), name='export'), path('delete/', DeleteAccountView.as_view(), name='delete'), path('profile/', ProfileView.as_view(), name='profile'), + url('profile/(?P\w+)', ProfileView.as_view(), name='profile_with_profile_username'), path('add_email/', AddEmailView.as_view(), name='add_email'), path('add_openid/', AddOpenIDView.as_view(), name='add_openid'), path('upload_photo/', UploadPhotoView.as_view(), name='upload_photo'), diff --git a/ivatar/ivataraccount/views.py b/ivatar/ivataraccount/views.py index 62ac7c9..d11ac64 100644 --- a/ivatar/ivataraccount/views.py +++ b/ivatar/ivataraccount/views.py @@ -409,7 +409,7 @@ class RawImageView(DetailView): def get(self, request, *args, **kwargs): photo = self.model.objects.get(pk=kwargs['pk']) # pylint: disable=no-member - if not photo.user.id == request.user.id: + if not photo.user.id == request.user.id and not request.user.is_staff: return HttpResponseRedirect(reverse_lazy('home')) return HttpResponse( BytesIO(photo.data), content_type='image/%s' % photo.format) @@ -883,6 +883,15 @@ class ProfileView(TemplateView): template_name = 'profile.html' def get(self, request, *args, **kwargs): + if 'profile_username' in kwargs: + if not request.user.is_staff: + return HttpResponseRedirect(reverse_lazy('profile')) + try: + u = User.objects.get(username=kwargs['profile_username']) + request.user = u + except: + pass + self._confirm_claimed_openid() return super().get(self, request, args, kwargs)