NunoSempere/calibre-web
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Security fix improved: user should not edit other shelve's titles

Browse Source
This commit is contained in:
Ileana Maricel Barrionuevo 2021-07-22 00:41:07 -03:00
parent d5d0ad50fa
commit c8ebaee0f7
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
cps/shelf.py
View File

@ -235,8 +235,9 @@ def create_shelf():
@login_required @login_required
def edit_shelf(shelf_id): def edit_shelf(shelf_id):
shelf = ub.session.query(ub.Shelf).filter(ub.Shelf.id == shelf_id).first() shelf = ub.session.query(ub.Shelf).filter(ub.Shelf.id == shelf_id).first()
if not shelf.user_id == int(current_user.id): if not check_shelf_edit_permissions(shelf):
return "Sorry you are not allowed to edit this shelf", 403 flash(_(u"Sorry you are not allowed to edit this shelf: "),category="error")
return redirect(url_for('web.index'))
return create_edit_shelf(shelf, title=_(u"Edit a shelf"), page="shelfedit", shelf_id=shelf_id) return create_edit_shelf(shelf, title=_(u"Edit a shelf"), page="shelfedit", shelf_id=shelf_id)