From ecd7ca2250422bcc041dc6a0b9f15dcdf5e335ff Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Fri, 8 Feb 2008 23:22:43 +0100 Subject: [PATCH] * Disallow adding influences for other users' characters. --- influences/views.py | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/influences/views.py b/influences/views.py index 341c9a3..51cfb49 100644 --- a/influences/views.py +++ b/influences/views.py @@ -5,7 +5,7 @@ from django.template import RequestContext from django.utils.translation import ugettext as _ from django.contrib.auth.models import User from django.core.urlresolvers import reverse -from django.http import HttpResponseRedirect +from django.http import HttpResponseRedirect, HttpResponseForbidden from django.views.generic.list_detail import object_detail, object_list from ee.influences.models import Character from ee.influences.models import Influence @@ -36,8 +36,13 @@ def add(request, character_id=None): f = InfluenceForm(request=request, initial=initial) if (f.is_valid()): - influence = f.save() - return HttpResponseRedirect(reverse('influences_influence_detail', args=[influence.id])) + influence = f.save(commit=False) + if (influence.character.player == request.user): + influence.save() + return HttpResponseRedirect(reverse('influences_influence_detail', args=[influence.id])) + else: + # TODO: Make this a bit more pretty. Perhaps throw an exception here and add some middleware to catch it? + return HttpResponseForbidden("Forbidden -- Trying to submit influence for somebody else's character") # Only allow characters of the current user f.fields['character']._set_queryset(chars) -- 2.30.2