add TODOs

django/allgo/main/views.py

@@ -152,6 +152,9 @@ class LegacyWebappDetail(SingleObjectMixin, RedirectView):
 
 # WEBAPPS
 # -----------------------------------------------------------------------------
+
+# FIXME: should merge WebappList with UserWebappList
+# FIXME: should filter out webapps that have not published versions and that do not belong to the current user
 class WebappList(AllAccessMixin, ListView):
     """ Display a paginated list of available webapps.
 
@@ -200,6 +203,7 @@ class UserWebappList(AllAccessMixin, ListView):
 
     def get_queryset(self):
         """Filter apps for a given user"""
+        # FIXME: infoleak: any user can display all the apps of any user
         user = User.objects.get(username=self.kwargs['username'])
         queryset = Webapp.objects.filter(user=user)
         return queryset