search

jwjacobson / jazztunes

a jazz repertoire management app
https://jazztunes.org
GNU General Public License v3.0
3 stars 0 forks source link

add extra permission to play view? #158

Closed bbelderbos closed 6 months ago

bbelderbos commented 6 months ago 
@login_required
def play(request, pk):
    rep_tune = get_object_or_404(RepertoireTune, id=pk)
    rep_tune.last_played = timezone.now()
    rep_tune.save()
    return render(request, "tune/_play.html")

I think right now somebody making a put request outside of htmx will manage to set last_played on a tune that they don't own, so probably good to add player=request.user to the get_object_or_404 query to prevent this.