From 227280b0e9fdd2e94da978e583e2e5779976c421 Mon Sep 17 00:00:00 2001
From: Nick Sergeant <nick@nicksergeant.com>
Date: Sun, 18 Oct 2015 15:46:21 -0400
Subject: [PATCH] Auth on team views.

---
 snipts/api.py  | 5 +++--
 teams/views.py | 8 ++++++++
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/snipts/api.py b/snipts/api.py
index fd99d8a..c3927ba 100644
--- a/snipts/api.py
+++ b/snipts/api.py
@@ -411,6 +411,7 @@ class PrivateSniptResource(ModelResource):
         return bundle
 
     def obj_create(self, bundle, **kwargs):
+        bundle.data['last_user_saved'] = bundle.request.user
         bundle.data['tags_list'] = bundle.data.get('tags')
         bundle.data['tags'] = ''
 
@@ -430,10 +431,10 @@ class PrivateSniptResource(ModelResource):
         else:
             user = bundle.request.user
 
-        bundle.data['last_user_saved'] = bundle.request.user
-        bundle.data['user'] = user
         bundle.data['created'] = None
+        bundle.data['last_user_saved'] = bundle.request.user
         bundle.data['modified'] = None
+        bundle.data['user'] = user
 
         if type(bundle.data['tags']) in (str, unicode):
             bundle.data['tags_list'] = bundle.data['tags']
diff --git a/teams/views.py b/teams/views.py
index 04d3f73..21033f8 100644
--- a/teams/views.py
+++ b/teams/views.py
@@ -4,6 +4,7 @@ import uuid
 
 from annoying.decorators import render_to
 from django.conf import settings
+from django.contrib.auth.decorators import login_required
 from django.contrib.auth.models import User
 from django.http import Http404, HttpResponseRedirect, HttpResponseBadRequest
 from django.shortcuts import get_object_or_404
@@ -19,6 +20,7 @@ def for_teams(request):
     return {}
 
 
+@login_required
 @render_to('teams/team-billing.html')
 def team_billing(request, username):
     team = get_object_or_404(Team, slug=username)
@@ -29,14 +31,18 @@ def team_billing(request, username):
     }
 
 
+@login_required
 @render_to('teams/team-members.html')
 def team_members(request, username):
     team = get_object_or_404(Team, slug=username)
+    if not team.user_is_member(request.user):
+        raise Http404
     return {
         'team': team
     }
 
 
+@login_required
 def add_team_member(request, username, member):
     team = get_object_or_404(Team, slug=username)
     user = get_object_or_404(User, username=member)
@@ -49,6 +55,7 @@ def add_team_member(request, username, member):
     return HttpResponseRedirect('/' + team.slug + '/members/')
 
 
+@login_required
 def remove_team_member(request, username, member):
     team = get_object_or_404(Team, slug=username)
     user = get_object_or_404(User, username=member)
@@ -61,6 +68,7 @@ def remove_team_member(request, username, member):
     return HttpResponseRedirect('/' + team.slug + '/members/')
 
 
+@login_required
 @render_to('teams/for-teams-complete.html')
 def for_teams_complete(request):
     if request.method == 'POST' and request.user.is_authenticated():