diff --git a/beat/web/code/api.py b/beat/web/code/api.py
index 1a0fdd037e3280be4df23274d117e0c84ce9a2e8..7046ce6d46c355cdf8724079ad5c8836d07a69a4 100644
--- a/beat/web/code/api.py
+++ b/beat/web/code/api.py
@@ -58,7 +58,6 @@ class ShareCodeView(ShareView):
class DiffView(generics.RetrieveAPIView):
model = Code
- permission_classes = [permissions.IsAuthenticated]
serializer_class = DiffSerializer
def get(self, request, author1, name1, version1, author2, name2, version2):
@@ -79,13 +78,15 @@ class DiffView(generics.RetrieveAPIView):
# Check that the user can access them
- accessibility = object1.accessibility_for(request.user)
- if not accessibility[1]:
- return ForbiddenResponse(object1.fullname())
-
- accessibility = object2.accessibility_for(request.user)
- if not accessibility[1]:
- return ForbiddenResponse(object2.fullname())
+ has_access, open_source, _ = object1.accessibility_for(request.user)
+ if not ((request.user == object1.author) or \
+ (has_access and open_source)):
+ return ForbiddenResponse("You cannot access the source-code of \"%s\"" % object1.fullname())
+
+ has_access, open_source, _ = object2.accessibility_for(request.user)
+ if not ((request.user == object2.author) or \
+ (has_access and open_source)):
+ return ForbiddenResponse("You cannot access the source-code of \"%s\"" % object2.fullname())
# Compute the diff
serializer = self.get_serializer({'object1': object1,
diff --git a/beat/web/common/api.py b/beat/web/common/api.py
index 8ae0a0f0f5af708cf0678a32bd55ade654872407..bc5cad89aa3a59e57af4bb78ab0dc458e88d39e1 100644
--- a/beat/web/common/api.py
+++ b/beat/web/common/api.py
@@ -178,7 +178,6 @@ class ListCreateContributionView(IsAuthorOrReadOnlyMixin, ListCreateBaseView):
class DiffView(generics.RetrieveAPIView):
model = Versionable
- permission_classes = [permissions.IsAuthenticated]
serializer_class = DiffSerializer
def get(self, request, author1, name1, version1, author2, name2, version2):