From c8ebaee0f76d5b404cd2d5fd17df9f27795abc49 Mon Sep 17 00:00:00 2001 From: Ileana Maricel Barrionuevo Date: Thu, 22 Jul 2021 00:41:07 -0300 Subject: [PATCH] Security fix improved: user should not edit other shelve's titles --- cps/shelf.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/cps/shelf.py b/cps/shelf.py index 9556ba66..229eaade 100644 --- a/cps/shelf.py +++ b/cps/shelf.py @@ -235,8 +235,9 @@ def create_shelf(): @login_required def edit_shelf(shelf_id): shelf = ub.session.query(ub.Shelf).filter(ub.Shelf.id == shelf_id).first() - if not shelf.user_id == int(current_user.id): - return "Sorry you are not allowed to edit this shelf", 403 + if not check_shelf_edit_permissions(shelf): + flash(_(u"Sorry you are not allowed to edit this shelf: "),category="error") + return redirect(url_for('web.index')) return create_edit_shelf(shelf, title=_(u"Edit a shelf"), page="shelfedit", shelf_id=shelf_id)