What ?

Merging the my_profile view with the profile view introduced a security issue. Indeed, anyone can submit a POST form to any given user to modify its profile.

Why ?

Concerned code (user.views:41-64) :

def profile(request, username):
    user = get_object_or_404(User, username=username)

    if request.method == 'POST':
        form = ProfileForm(request.POST, instance=user.profile)
        if form.is_valid():
            form.save()
            return redirect('profile', username=username)
    else:
        form = ProfileForm(instance=user.profile)

    last_badges = user.badges_earned.order_by('-awarded_at')[:10]
    last_contents = Content.objects.filter(author=user.profile).order_by('-posted_at')[:5]

    return render(request, 'profile.html', {
        'profile': user.profile,
        'last_badges': last_badges,
        'last_contents': last_contents,
        'form': form
    })


def my_profile(request):
    return redirect('profile', username=request.user.username)

As the username is fetched from the URL path and is not (necessarily) the authenticated one, any POST request will succeed.

A proper way to fix it is to use request.user instead of user. I also think that form should be None when rendering another user's profile page (even if that won't fix the issue).

What ?

If a theme is marked as hidden, its page ('/data/theme/{id}') and all of its datasets ('/data/dataset/{id}') are still publicly available.

Furthermore, hidden datasets that are linked to a keyword are shown in search results and in the recommended datasets modal.

Why ?

Hidden themes are present in the database and are not filtered by every query.

Fixing every SQL query atomically by hand may not be an ideal solution; I think the model should take care of that directly at the root (I'm not sure how though, maybe by using a custom Manager ?).