From f4c5101b355db9d1560f8d64a2e53cdc7f1c406c Mon Sep 17 00:00:00 2001
From: Hugo Levy-Falk <klafyvel@gmail.com>
Date: Fri, 28 Aug 2020 20:16:44 +0100
Subject: [PATCH] Fix history acl

---
 logs/views.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/logs/views.py b/logs/views.py
index 87084d66..0eef11d7 100644
--- a/logs/views.py
+++ b/logs/views.py
@@ -536,6 +536,8 @@ def get_history_object(request, model, object_name, object_id):
         instance = None
 
     if instance is None:
+        # TODO : THIS IS A DECORATOR, YOU CANNOT USE IT LIKE THIS. AS IT, IT
+        # WILL ALLOW ANYONE TO SEE THE HISTORY OF A DELETED OBJECT.
         authorized = can_view_app("logs")
         msg = None
     else:
@@ -581,7 +583,7 @@ def history(request, application, object_name, object_id):
         raise Http404(_("No model found."))
 
     authorized, instance = get_history_object(request, model, object_name, object_id)
-    if not can_view:
+    if not authorized:
         return instance
 
     history = get_history_class(model)