mirror of
https://github.com/janeczku/calibre-web
synced 2024-12-25 17:40:31 +00:00
Fixed security issue: a user could edit others' shelves.
This commit is contained in:
parent
20fa9f5523
commit
d5d0ad50fa
@ -235,6 +235,8 @@ def create_shelf():
|
|||||||
@login_required
|
@login_required
|
||||||
def edit_shelf(shelf_id):
|
def edit_shelf(shelf_id):
|
||||||
shelf = ub.session.query(ub.Shelf).filter(ub.Shelf.id == shelf_id).first()
|
shelf = ub.session.query(ub.Shelf).filter(ub.Shelf.id == shelf_id).first()
|
||||||
|
if not shelf.user_id == int(current_user.id):
|
||||||
|
return "Sorry you are not allowed to edit this shelf", 403
|
||||||
return create_edit_shelf(shelf, title=_(u"Edit a shelf"), page="shelfedit", shelf_id=shelf_id)
|
return create_edit_shelf(shelf, title=_(u"Edit a shelf"), page="shelfedit", shelf_id=shelf_id)
|
||||||
|
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user