From 22ebc2ece5b882499df640285eae668e675058b0 Mon Sep 17 00:00:00 2001
From: Chris Hill-Scott <me@quis.cc>
Date: Mon, 25 Apr 2016 11:23:45 +0100
Subject: [PATCH] Make permissions for AJAX dashboard backend match
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If you don’t have permission to see the HTML dashboard, you shouldn’t be
able to see the JSON one.
---
 app/main/views/dashboard.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/app/main/views/dashboard.py b/app/main/views/dashboard.py
index 380d54852..d3f725761 100644
--- a/app/main/views/dashboard.py
+++ b/app/main/views/dashboard.py
@@ -57,6 +57,7 @@ def service_dashboard(service_id):
 
 @main.route("/services/<service_id>/dashboard.json")
 @login_required
+@user_has_permissions('view_activity', admin_override=True)
 def service_dashboard_updates(service_id):
     return jsonify(**{
         'today': render_template(