From 6b87b460d3c3d709dc038754a570e9ce8fed8d95 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20P=C3=A9ters?= <fpeters@entrouvert.com>
Date: Fri, 9 Mar 2018 13:30:29 +0100
Subject: [PATCH] do not allow unauthenticated access to unlink page (#22405)

---
 src/authentic2_auth_fc/views.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/authentic2_auth_fc/views.py b/src/authentic2_auth_fc/views.py
index 0b0119f..177f3a1 100644
--- a/src/authentic2_auth_fc/views.py
+++ b/src/authentic2_auth_fc/views.py
@@ -488,6 +488,8 @@ class UnlinkView(LoggerMixin, FormView):
         return kwargs
 
     def dispatch(self, request, *args, **kwargs):
+        if not request.user.is_authenticated():
+            raise PermissionDenied()
         # We prevent unlinking if the user has no usable password and can't change it
         # because we assume that the password is the unique other mean of authentication
         # and unlinking would make the account unreachable.
-- 
2.16.2