Closed bbelderbos closed 6 months ago
@login_required def play(request, pk): rep_tune = get_object_or_404(RepertoireTune, id=pk) rep_tune.last_played = timezone.now() rep_tune.save() return render(request, "tune/_play.html")
I think right now somebody making a put request outside of htmx will manage to set last_played on a tune that they don't own, so probably good to add player=request.user to the get_object_or_404 query to prevent this.
player=request.user
get_object_or_404
I think right now somebody making a put request outside of htmx will manage to set last_played on a tune that they don't own, so probably good to add
player=request.user
to theget_object_or_404
query to prevent this.