Merge pull request #857 from malemburg/master

Disable anonymous postings by returning a 404.
python · Nov 27, 2015 · da96fee · da96fee
2 parents ca4fdf5 + 1fcd1e3
commit da96fee
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 8 deletions.
diff --git a/jobs/tests/test_views.py b/jobs/tests/test_views.py
@@ -193,6 +193,10 @@ def test_job_create(self):
             'email': 'hr@company.com'
         }
 
+        # Check that anonymous posting is not allowed. See #852.
+        response = self.client.post(url, post_data)
+        self.assertEqual(response.status_code, 404)
+
         if 0:
             # Disabled for now, until we have found a better solution
             # to fight spammers. See #852.

diff --git a/jobs/views.py b/jobs/views.py
@@ -278,14 +278,14 @@ def get_form_kwargs(self):
 
     def form_valid(self, form):
         """ set the creator to the current user """
-        # Associate Job to user if they are logged in
-        if self.request.user.is_authenticated():
-            form.instance.creator = self.request.user
-        else:
-            # Temporary measure against spammers. See #852.
-            return super().form_invalid(form)
-        return super().form_valid(form)    
-
+
+        # Don't allow anonymous postings; see #852.
+        if not self.request.user.is_authenticated():
+            raise Http404
+
+        # Associate Job to user
+        form.instance.creator = self.request.user
+        return super().form_valid(form)      
 
 
 class JobEdit(JobMixin, UpdateView):