Verify that people who don't have delete permission cannot get them by typing in the URL manually

jhauserw3241 / cdcdb-webserver

Python3/Flask web server for DB final project

https://cdcdb.system33.pw

1 stars 1 forks source link

Verify that people who don't have delete permission cannot get them by typing in the URL manually #91

Closed jhauserw3241 closed 7 years ago

pastly commented 7 years ago

This is why one of the first things every foobar.delete() function should do is check self.__can_delete(session). In fact, most/all of foobar.VERB() should check self.__can_VERB(...) before doing anything.

https://github.com/pastly/cdcdb-webserver/blob/master/events.py#L414
https://github.com/pastly/cdcdb-webserver/blob/master/events.py#L172

Is there a specific module that forgot this check?

flemingcaleb commented 7 years ago

Misworded the title, will create a new issue