Issue 379: Shouldn't access to unpublished review requests.
Review Request #366 — Created April 23, 2008 and submitted
This fix limits access to unpublished review requests. Only the submitter and people who has permission should be able to access the review request. I define a decorator maker at reviewboad/accounts/decorators.py, and decorate review_request views. Current code uses raise HttpResponseForbidden() But it should be return HttpResponseForbidden("Error Message HTML") or from django.core.exceptions import PermissionDenied raise PermissionDenied I use HttpResponseForbidden, but error message is hard coded and very cheep. Maybe we can refactor it later to something like "templates/404.html" way of django.http.Http404. ------------------------------------ According to David's review, * moved decorators.py to reviewboard/reviews/ * changed a parameter name from only_unpublic to only_nonpublic * changed from returning HttpForbidden to raising Http404 when permission doesn't match Thanks for reviwing.
Tested on my local machine. Post new review request but not publish. Access the urls (/r/<id>/, /r/<id>/diff, and so on) as another user.