From 29c0696f3fae07f9eea9c2f92a094f01e9d02780 Mon Sep 17 00:00:00 2001
From: Thomas Steen Rasmussen <thomas@gibfest.dk>
Date: Thu, 12 May 2016 18:14:30 +0200
Subject: [PATCH] check that this order belongs to this user

---
 shop/views.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/shop/views.py b/shop/views.py
index d73cc938..79cbdea1 100644
--- a/shop/views.py
+++ b/shop/views.py
@@ -35,6 +35,11 @@ class CheckoutView(LoginRequiredMixin, DetailView):
     template_name = 'shop/order_detail.html'
     context_object_name = 'order'
 
+    def get(self, request, *args, **kwargs):
+        if self.get_object().user != request.user:
+            raise Http404("Order not found")
+        return self.render_to_response(self.get_context_data())
+
 
 class PaymentView(LoginRequiredMixin, FormView):
     """