ristekoss / susunjadwal

SusunJadwal - Universitas Indonesia's #1 Student Course Planner App.
http://susunjadwal.cs.ui.ac.id/
34 stars 16 forks source link

Guard update and delete views for UserSchedule and add copy schedule feature #63

Closed laymonage closed 3 years ago

laymonage commented 3 years ago

@require_same_user_id only checks whether the routes that contain user_id is accessed by the matching authenticated user. It's always true as long as the user is logged in and accessing the pages from the frontend app because the frontend only composes URLs with the authenticated user's ID. However, any user can update/delete any schedule as long as they know the schedule ID and are calling the views using their own user ID.

This PR fixes it by also checking whether the schedule object's user_id also matches the given user_id when querying the UserSchedule object. As a bonus, we can easily implement "Copy Schedule" feature by creating a new schedule in the edit view if the user attempts to edit another user's schedule (or their own schedule but has been deleted prior).

jonathanfilbert commented 3 years ago

Nice! I think we should handle naming the copied schedule, something like "Schedule (copied)" instead of just null.

jonathanfilbert commented 3 years ago

@fairuzi10

fairuzi10 commented 3 years ago

Wowww, this fix and feature is so cool. Thank you so much @laymonage! 😃