@require_same_user_id only checks whether the routes that contain user_id is accessed by the matching authenticated user. It's always true as long as the user is logged in and accessing the pages from the frontend app because the frontend only composes URLs with the authenticated user's ID. However, any user can update/delete any schedule as long as they know the schedule ID and are calling the views using their own user ID.
This PR fixes it by also checking whether the schedule object's user_id also matches the given user_id when querying the UserSchedule object. As a bonus, we can easily implement "Copy Schedule" feature by creating a new schedule in the edit view if the user attempts to edit another user's schedule (or their own schedule but has been deleted prior).
@require_same_user_id
only checks whether the routes that containuser_id
is accessed by the matching authenticated user. It's always true as long as the user is logged in and accessing the pages from the frontend app because the frontend only composes URLs with the authenticated user's ID. However, any user can update/delete any schedule as long as they know the schedule ID and are calling the views using their own user ID.This PR fixes it by also checking whether the schedule object's
user_id
also matches the givenuser_id
when querying theUserSchedule
object. As a bonus, we can easily implement "Copy Schedule" feature by creating a new schedule in the edit view if the user attempts to edit another user's schedule (or their own schedule but has been deleted prior).