Commit d4be5db1 authored by Jean Michel Rouly's avatar Jean Michel Rouly

Returns a 403 permission forbidden when deleting links that aren't yours.

parent 5e2c452a
......@@ -4,7 +4,7 @@ from datetime import timedelta
from django.http import Http404
from django.utils import timezone
from django.contrib.auth.models import User
from django.core.exceptions import ValidationError
from django.core.exceptions import PermissionDenied
from django.contrib.auth.decorators import login_required
from django.shortcuts import render, get_object_or_404, redirect
......@@ -59,24 +59,23 @@ def success(request):
# My-Links page.
@login_required
def my_links(request, permission = True):
def my_links(request):
links = URL.objects.filter( owner = request.user )
return render(request, 'my_links.html', {
'links' : links,
'permission' : permission,
},
)
# Delete link page.
@login_required
def delete(request, short):
url = URL.objects.get( short = short )
url = get_object_or_404(URL, short = short )
if url.owner == request.user:
url.delete()
return redirect('my_links')
else:
return my_links(request, permission = False)
raise PermissionDenied()
# About page, static.
def about(request):
......
......@@ -18,7 +18,7 @@ urlpatterns = patterns('go.views',
url(r'^signup/?$', 'signup', name = 'signup'),
# /my - My-Links page, view and review links.
url(r'^my/?$', 'my_links', {'permission' : True}, name = 'my_links'),
url(r'^my/?$', 'my_links', name = 'my_links'),
# /delete - Delete a link, no content display.
url(r'^delete/(?P<short>\w+)$', 'delete', name = 'delete'),
......
......@@ -8,10 +8,6 @@ Go - A URL Shortener
{% block content %}
{% if not permission %}
<p class="error">That link does not belong to you!</p>
{% endif %}
{% if links %}
<div id="mylinks">
{% for link in links %}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment