Ensure signoffs can only be created if allowed

Signed-off-by: Dan McGee <dan@archlinux.org>
author: Dan McGee <dan@archlinux.org> 2011-11-03 21:20:28 -0500
committer: Dan McGee <dan@archlinux.org> 2011-11-03 21:20:28 -0500
commit: 800ea45528e297c38e068775951e666f8191ef45 (patch)
tree: 80afe3c0ef58bed6c906e4c67d0f8a2a532a789d /packages/views.py
parent: 5f2c3bf98baabf919681525e600639643aa2c119 (diff)
1 files changed, 5 insertions, 2 deletions
diff --git a/packages/views.py b/packages/views.py
index 307691e2..00dd7f7d 100644
--- a/packages/views.py
+++ b/packages/views.py
@@ -388,9 +388,10 @@ def signoffs(request):
 def signoff_package(request, name, repo, arch, revoke=False):
     packages = get_list_or_404(Package, pkgbase=name,
             arch__name=arch, repo__name__iexact=repo, repo__testing=True)
-
     package = packages[0]
 
+    spec = SignoffSpecification.objects.get_or_default_from_package(package)
+
     if revoke:
         try:
             signoff = Signoff.objects.get_from_package(
@@ -401,11 +402,13 @@ def signoff_package(request, name, repo, arch, revoke=False):
         signoff.save()
         created = False
     else:
+        # ensure we should even be accepting signoffs
+        if spec.known_bad or not spec.enabled:
+            return render(request, '403.html', status=403)
         signoff, created = Signoff.objects.get_or_create_from_package(
                 package, request.user)
 
     all_signoffs = Signoff.objects.for_package(package)
-    spec = SignoffSpecification.objects.get_or_default_from_package(package)
 
     if request.is_ajax():
         data = {
author	Dan McGee <dan@archlinux.org>	2011-11-03 21:20:28 -0500
committer	Dan McGee <dan@archlinux.org>	2011-11-03 21:20:28 -0500
commit	800ea45528e297c38e068775951e666f8191ef45 (patch)
tree	80afe3c0ef58bed6c906e4c67d0f8a2a532a789d /packages/views.py
parent	5f2c3bf98baabf919681525e600639643aa2c119 (diff)