Check ACL's before we'll display user warnings. #37

misago/acl/permissions/warnings.py

@@ -45,13 +45,21 @@ class WarningsACL(BaseACL):
         except ACLError403:
             return False
 
-    def can_see_member_warns(self, user, other_user):
+    def allow_member_warns_view(self, user, other_user):
         try:
             if user.pk == other_user.pk:
-                return True
+                return
         except AttributeError:
             pass
-        return self.acl['can_see_other_members_warns']
+        if not self.acl['can_see_other_members_warns']:
+            raise ACLError403(_("You don't have permission to see this member warnings."))
+
+    def can_see_member_warns(self, user, other_user):
+        try:
+            self.allow_member_warns_view(user, other_user)
+            return True
+        except ACLError403:
+            return False
 
     def allow_warning(self):
         if not self.acl['can_be_warned']:

misago/apps/profiles/decorators.py

@@ -3,7 +3,7 @@ from django.conf import settings
 from django.core.urlresolvers import reverse
 from django.shortcuts import redirect
 from misago.acl.exceptions import ACLError403, ACLError404
-from misago.apps.errors import error404
+from misago.apps.errors import error403, error404
 from misago.models import User
 from misago.utils.strings import slugify
 
@@ -27,7 +27,7 @@ def profile_view(fallback='user'):
             except ACLError404:
                 return error404(request)
             except ACLError403 as e:
-                return error404(request, e.message)
+                return error403(request, e.message)
         return wraps(f)(inner_decorator)
     return outer_decorator
 

misago/apps/profiles/warnings/views.py

@@ -11,6 +11,8 @@ from misago.utils.pagination import make_pagination
 
 @profile_view('user_warnings')
 def warnings(request, user, page=0):
+    request.acl.warnings.allow_member_warns_view(request.user, user)
+
     queryset = user.warning_set
     count = queryset.count()
     try: