fix: only allow users to replay their own matches

amcsz · amcsz · commit 5e2df558114b · 2026-02-03T09:43:25.000-05:00
[pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci
diff --git a/othello/apps/games/views.py b/othello/apps/games/views.py
@@ -201,6 +201,13 @@ def replay(request: HttpRequest) -> HttpResponse:
 @login_required
 def match_replay(request: HttpRequest, match_id: int) -> HttpResponse:
     match = get_object_or_404(Match, id=match_id)
+    if request.user not in [match.player1.user, match.player2.user]:
+        messages.error(
+            request,
+            "You can only view replays of matches you participated in.",
+            extra_tags="danger",
+        )
+        return redirect("games:queue")
     games = list(match.games.order_by("created_at"))
     selected_game_id = request.GET.get("game_id")
     if selected_game_id:
diff --git a/othello/templates/games/queue.html b/othello/templates/games/queue.html
@@ -45,7 +45,14 @@ <h1>Running Matches</h1>
                 {{ match.player2.get_game_name }}
             </td>
             <td>{% if match.is_ranked %}Yes{% else %}No{% endif %}</td>
-            <td>{{ match.status }}{% if match.status == 'completed' %} <a href="{% url 'games:match_replay' match.id %}">(Replay)</a>{% endif %}</td>
+            <td>
+                {{ match.status }}
+                {% if match.status == 'completed' %}
+                    {% if user == match.player1.user or user == match.player2.user %}
+                        <a href="{% url 'games:match_replay' match.id %}">(Replay)</a>
+                    {% endif %}
+                {% endif %}
+            </td>
             <td>{{ match.created_at }}</td>
         </tr>
         {% endfor %}
