Merged in [16649] from rjsparks@nostrum.com:

levkowetz · levkowetz · commit 1c38387279de · 2019-09-05T22:59:59.000Z
Guard against attempts to use the review request view with a ReviewRequest id that does not match the document for the ReviewRequest. This would have exposed ietf-tools#2776 much earlier. - Legacy-Id: 16710 Note: SVN reference [16649] has been migrated to Git commit 01ceeba
diff --git a/ietf/doc/views_review.py b/ietf/doc/views_review.py
@@ -12,7 +12,7 @@
 
 import debug    # pyflakes:ignore
 
-from django.http import HttpResponseForbidden, JsonResponse
+from django.http import HttpResponseForbidden, JsonResponse, Http404
 from django.shortcuts import render, get_object_or_404, redirect
 from django import forms
 from django.conf import settings
@@ -186,6 +186,8 @@ def review_request_forced_login(request, name, request_id):
 def review_request(request, name, request_id):
     doc = get_object_or_404(Document, name=name)
     review_req = get_object_or_404(ReviewRequest, pk=request_id)
+    if review_req.doc != doc:
+        raise Http404('The indicated ReviewRequest is not a request for the indicated document')
 
     can_manage_request = can_manage_review_requests_for_team(request.user, review_req.team)
 
