[extensions-web/wip/media-permissions] extensions: properly check user permissions for media upload

From: Yuri Konotopov <ykonotopov src gnome org>
To: commits-list gnome org
Cc:
Subject: [extensions-web/wip/media-permissions] extensions: properly check user permissions for media upload
Date: Tue, 26 May 2020 20:21:47 +0000 (UTC)

commit ddbc8e414cc3d63bc3bf6a508165dffefe1871be
Author: Yuri Konotopov <ykonotopov gnome org>
Date:   Wed May 27 00:18:03 2020 +0400

    extensions: properly check user permissions for media upload

 sweettooth/extensions/views.py | 6 ++++++
 1 file changed, 6 insertions(+)
---
diff --git a/sweettooth/extensions/views.py b/sweettooth/extensions/views.py
index cbf85f5..47df3a1 100644
--- a/sweettooth/extensions/views.py
+++ b/sweettooth/extensions/views.py
@@ -346,6 +346,9 @@ def ajax_inline_edit_view(request, extension):
 @require_POST
 @model_view(models.Extension)
 def ajax_upload_screenshot_view(request, extension):
+    if not extension.user_can_edit(request.user):
+        return HttpResponseForbidden()
+
     extension.screenshot = request.FILES['file']
     extension.save(replace_metadata_json=False)
     return extension.screenshot.url
@@ -354,6 +357,9 @@ def ajax_upload_screenshot_view(request, extension):
 @require_POST
 @model_view(models.Extension)
 def ajax_upload_icon_view(request, extension):
+    if not extension.user_can_edit(request.user):
+        return HttpResponseForbidden()
+
     extension.icon = request.FILES['file']
     extension.save(replace_metadata_json=False)
     return extension.icon.url

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]