From 2ecbe91bc57531611cfe15197ad5cb611459f899 Mon Sep 17 00:00:00 2001
From: Jonathan Weth <git@jonathanweth.de>
Date: Thu, 5 Aug 2021 17:08:45 +0200
Subject: [PATCH] Raise 404 on celery progress view if the user is anonymous

---
 CHANGELOG.rst         | 4 ++++
 aleksis/core/views.py | 2 ++
 2 files changed, 6 insertions(+)

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index df00c3fac..9c97c2075 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -14,6 +14,10 @@ Added
 
 * Allow apps to dynamically generate OAuth scopes
 
+Fixed
+~~~~~
+* The view for getting the progress of celery tasks didn't respect that there can be anonymous users.
+
 Removed
 ~~~~~~~
 
diff --git a/aleksis/core/views.py b/aleksis/core/views.py
index c2b113b67..e24bafa17 100644
--- a/aleksis/core/views.py
+++ b/aleksis/core/views.py
@@ -1151,6 +1151,8 @@ class CeleryProgressView(View):
     """Wrap celery-progress view to check permissions before."""
 
     def get(self, request: HttpRequest, task_id: str, *args, **kwargs) -> HttpResponse:
+        if request.user.is_anonymous:
+            raise Http404()
         if not TaskUserAssignment.objects.filter(
             task_result__task_id=task_id, user=request.user
         ).exists():
-- 
GitLab