For instance, a user with id 2 can update or delete any den by simply typing in the URL to access that page, e.g. the /dens/4/update page is accessible by any user, whether or not they own permission to that den.
We should authenticate that the current user owns the den before they allowed to make any changes to it. If they do not own the den, then redirect them back to their feed, otherwise perform normally.
This can be handled in dens.py in the route for updating dens.
For instance, a user with id 2 can update or delete any den by simply typing in the URL to access that page, e.g. the
/dens/4/update
page is accessible by any user, whether or not they own permission to that den.We should authenticate that the current user owns the den before they allowed to make any changes to it. If they do not own the den, then redirect them back to their feed, otherwise perform normally.
This can be handled in
dens.py
in the route for updating dens.