Commit d4be5db1 authored by Jean Michel Rouly's avatar Jean Michel Rouly
Browse files

Returns a 403 permission forbidden when deleting links that aren't yours.

parent 5e2c452a
...@@ -4,7 +4,7 @@ from datetime import timedelta ...@@ -4,7 +4,7 @@ from datetime import timedelta
from django.http import Http404 from django.http import Http404
from django.utils import timezone from django.utils import timezone
from django.contrib.auth.models import User from django.contrib.auth.models import User
from django.core.exceptions import ValidationError from django.core.exceptions import PermissionDenied
from django.contrib.auth.decorators import login_required from django.contrib.auth.decorators import login_required
from django.shortcuts import render, get_object_or_404, redirect from django.shortcuts import render, get_object_or_404, redirect
...@@ -59,24 +59,23 @@ def success(request): ...@@ -59,24 +59,23 @@ def success(request):
# My-Links page. # My-Links page.
@login_required @login_required
def my_links(request, permission = True): def my_links(request):
links = URL.objects.filter( owner = request.user ) links = URL.objects.filter( owner = request.user )
return render(request, 'my_links.html', { return render(request, 'my_links.html', {
'links' : links, 'links' : links,
'permission' : permission,
}, },
) )
# Delete link page. # Delete link page.
@login_required @login_required
def delete(request, short): def delete(request, short):
url = URL.objects.get( short = short ) url = get_object_or_404(URL, short = short )
if url.owner == request.user: if url.owner == request.user:
url.delete() url.delete()
return redirect('my_links') return redirect('my_links')
else: else:
return my_links(request, permission = False) raise PermissionDenied()
# About page, static. # About page, static.
def about(request): def about(request):
......
...@@ -18,7 +18,7 @@ urlpatterns = patterns('go.views', ...@@ -18,7 +18,7 @@ urlpatterns = patterns('go.views',
url(r'^signup/?$', 'signup', name = 'signup'), url(r'^signup/?$', 'signup', name = 'signup'),
# /my - My-Links page, view and review links. # /my - My-Links page, view and review links.
url(r'^my/?$', 'my_links', {'permission' : True}, name = 'my_links'), url(r'^my/?$', 'my_links', name = 'my_links'),
# /delete - Delete a link, no content display. # /delete - Delete a link, no content display.
url(r'^delete/(?P<short>\w+)$', 'delete', name = 'delete'), url(r'^delete/(?P<short>\w+)$', 'delete', name = 'delete'),
......
...@@ -8,10 +8,6 @@ Go - A URL Shortener ...@@ -8,10 +8,6 @@ Go - A URL Shortener
{% block content %} {% block content %}
{% if not permission %}
<p class="error">That link does not belong to you!</p>
{% endif %}
{% if links %} {% if links %}
<div id="mylinks"> <div id="mylinks">
{% for link in links %} {% for link in links %}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment