search

tsainez / bobchat

Social media network for University of California, Merced students.
MIT License
1 stars 0 forks source link

Any user can update or delete any den without authentication #7

Closed tsainez closed 2 years ago

tsainez commented 2 years ago

For instance, a user with id 2 can update or delete any den by simply typing in the URL to access that page, e.g. the /dens/4/update page is accessible by any user, whether or not they own permission to that den.

We should authenticate that the current user owns the den before they allowed to make any changes to it. If they do not own the den, then redirect them back to their feed, otherwise perform normally.

This can be handled in dens.py in the route for updating dens.

VasquezNathan commented 2 years ago

fixed but there is no forbidden template.