Fixed security issue: a user could edit others' shelves.

This commit is contained in:
Ileana Maricel Barrionuevo 2021-07-21 22:08:41 -03:00
parent 20fa9f5523
commit d5d0ad50fa

View File

@ -235,6 +235,8 @@ def create_shelf():
@login_required @login_required
def edit_shelf(shelf_id): def edit_shelf(shelf_id):
shelf = ub.session.query(ub.Shelf).filter(ub.Shelf.id == shelf_id).first() shelf = ub.session.query(ub.Shelf).filter(ub.Shelf.id == shelf_id).first()
if not shelf.user_id == int(current_user.id):
return "Sorry you are not allowed to edit this shelf", 403
return create_edit_shelf(shelf, title=_(u"Edit a shelf"), page="shelfedit", shelf_id=shelf_id) return create_edit_shelf(shelf, title=_(u"Edit a shelf"), page="shelfedit", shelf_id=shelf_id)