From 17e4679ddc4b6ee6d2be5a5e55ba9d314e5a1a42 Mon Sep 17 00:00:00 2001 From: Christopher Allan Webber Date: Mon, 4 Mar 2013 10:12:48 -0600 Subject: [PATCH] Three fixes to collection adding view, one of them a serious security bug - Don't let people who aren't the authors of a collection from adding things to it (handled by forcing the user check in the query) - request url in case invalid collection selected fixed - collection_item.author doesn't yet exist; removing the selection (we might want multiple people to be able to edit a collection in the future but that future does not yet exist; as Elrond said, remove this "false hope") Thanks to Elrond to pointing out these issues. And thanks to David Kindler for sponsoring this commit! --- mediagoblin/user_pages/views.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/mediagoblin/user_pages/views.py b/mediagoblin/user_pages/views.py index 69d7defb..80919d47 100644 --- a/mediagoblin/user_pages/views.py +++ b/mediagoblin/user_pages/views.py @@ -227,7 +227,8 @@ def media_collect(request, media): # Otherwise, use the collection selected from the drop-down else: collection = Collection.query.filter_by( - id=request.form.get('collection')).first() + id=request.form.get('collection'), + creator=request.user.id).first() # Make sure the user actually selected a collection if not collection: @@ -236,7 +237,7 @@ def media_collect(request, media): _('You have to select or add a collection')) return redirect(request, "mediagoblin.user_pages.media_collect", user=media.get_uploader.username, - media=media.id) + media_id=media.id) # Check whether media already exists in collection @@ -250,7 +251,6 @@ def media_collect(request, media): collection_item = request.db.CollectionItem() collection_item.collection = collection.id collection_item.media_entry = media.id - collection_item.author = request.user.id collection_item.note = request.form['note'] collection_item.save()