From 986cad7c23d63a33bed62a226922f20741d949a7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Laura=20Kl=C3=BCnder?= <laura@codingcatgirl.de>
Date: Sun, 10 Dec 2017 03:54:49 +0100
Subject: [PATCH] don't allow redeeming if token is no longer valid

---
 src/c3nav/mapdata/models/access.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/c3nav/mapdata/models/access.py b/src/c3nav/mapdata/models/access.py
index 5c7b112f..d8781ed6 100644
--- a/src/c3nav/mapdata/models/access.py
+++ b/src/c3nav/mapdata/models/access.py
@@ -62,6 +62,10 @@ class AccessPermissionToken(models.Model):
     def redeem(self, user=None):
         if self.redeemed_by_id or (user is None and self.redeemed):
             raise TypeError('Already redeemed.')
+
+        if timezone.now()+timedelta(minutes=300 if self.redeemed else 0) < self.valid_until:
+            raise TypeError('No longer valid.')
+
         self.redeemed = True
         if user:
             for pk, expire_date in self.restrictions: