Trusting primary key in submitted forms

[pv]

If I read the code correctly, the code in submissions/views.py:create_or_edit_submission_revision trusts that the POST data contains a correct pk entry. It seems to me that this allows an attacker to bypass authorization, and edit any submission even if they do not own it.

[kgdunn]

Thanks for picking that up. I'm working on that section of the code at the moment to allow for library submissions. I will ensure that it can't cause malicious overwrites of previous submissions.

It definitely cannot create a new submission, but it might be able to overrides previous submissions.