From 7680060a037b2db4418874277372b262cb2ec9c8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stellan=20Lagerstr=C3=B6m?= <stellanl@akvo.org>
Date: Tue, 19 Apr 2016 15:54:16 +0200
Subject: [PATCH] [#2074]Allow access for API key users

---
 akvo/rest/views/user.py | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/akvo/rest/views/user.py b/akvo/rest/views/user.py
index 184c0fda9e..d22840ae34 100644
--- a/akvo/rest/views/user.py
+++ b/akvo/rest/views/user.py
@@ -87,17 +87,25 @@ def update_details(request, pk=None):
         return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
 
 
+
 @api_view(['POST'])
 def request_organisation(request, pk=None):
     # Get the user, or return an error if the user does not exist
+
     try:
         user = get_user_model().objects.get(pk=pk)
     except get_user_model().DoesNotExist:
         return Response({'user': _('User does not exist')}, status=status.HTTP_400_BAD_REQUEST)
 
+    user_token = request.META.get('HTTP_AUTH_TOKEN', None)
+
+    if not user_token:
+        raise PermissionDenied()
+
+    auth_user = get_user_model().objects.get(api_key__key=user_token)
+
     # Users themselves are only allowed to request to join an organisation
-    request_user = getattr(request, 'user', None)
-    if not user == request_user:
+    if not user == auth_user:
         raise PermissionDenied()
     request.DATA['user'] = pk