mirror of
https://github.com/janeczku/calibre-web
synced 2024-11-24 02:27:22 +00:00
Security fix improved: user should not edit other shelve's titles
This commit is contained in:
parent
d5d0ad50fa
commit
c8ebaee0f7
@ -235,8 +235,9 @@ def create_shelf():
|
||||
@login_required
|
||||
def edit_shelf(shelf_id):
|
||||
shelf = ub.session.query(ub.Shelf).filter(ub.Shelf.id == shelf_id).first()
|
||||
if not shelf.user_id == int(current_user.id):
|
||||
return "Sorry you are not allowed to edit this shelf", 403
|
||||
if not check_shelf_edit_permissions(shelf):
|
||||
flash(_(u"Sorry you are not allowed to edit this shelf: "),category="error")
|
||||
return redirect(url_for('web.index'))
|
||||
return create_edit_shelf(shelf, title=_(u"Edit a shelf"), page="shelfedit", shelf_id=shelf_id)
|
||||
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user