From d5d0ad50fa33eb9e0fff32c24a0ce65f03bbc352 Mon Sep 17 00:00:00 2001 From: Ileana Maricel Barrionuevo Date: Wed, 21 Jul 2021 22:08:41 -0300 Subject: [PATCH] Fixed security issue: a user could edit others' shelves. --- cps/shelf.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cps/shelf.py b/cps/shelf.py index 431eeff8..9556ba66 100644 --- a/cps/shelf.py +++ b/cps/shelf.py @@ -235,6 +235,8 @@ def create_shelf(): @login_required def edit_shelf(shelf_id): shelf = ub.session.query(ub.Shelf).filter(ub.Shelf.id == shelf_id).first() + if not shelf.user_id == int(current_user.id): + return "Sorry you are not allowed to edit this shelf", 403 return create_edit_shelf(shelf, title=_(u"Edit a shelf"), page="shelfedit", shelf_id=shelf_id)