Empêche un membre non staff d'éditer le profil d'un autre membre (#4041)

* Empêche un membre non staff d'éditer le profil d'un autre membre * Correction * PEP-8
zestedesavoir · Dec 8, 2016 · 6a1033b · 6a1033b
1 parent c649be8
commit 6a1033b
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/zds/member/views.py b/zds/member/views.py
@@ -593,6 +593,9 @@ def articles(request):
 def settings_mini_profile(request, user_name):
     """Minimal settings of users for staff."""
 
+    if not request.user.has_perm('member.change_profile'):
+        raise PermissionDenied
+
     # extra information about the current user
     profile = get_object_or_404(Profile, user__username=user_name)
     if request.method == "POST":