* Disallow adding influences for other users' characters.

diff --git a/influences/views.py b/influences/views.py
index 341c9a3dc696161cf36bffee8a640a5946dcece6..51cfb495692fb9b6c6b71671eed1a0c10fe00206 100644 (file)
--- a/influences/views.py
+++ b/influences/views.py
@@ -5,7 +5,7 @@ from django.template import RequestContext
 from django.utils.translation import ugettext as _
 from django.contrib.auth.models import User
 from django.core.urlresolvers import reverse
-from django.http import HttpResponseRedirect
+from django.http import HttpResponseRedirect, HttpResponseForbidden
 from django.views.generic.list_detail import object_detail, object_list
 from ee.influences.models import Character
 from ee.influences.models import Influence
@@ -36,8 +36,13 @@ def add(request, character_id=None):
 
     f = InfluenceForm(request=request, initial=initial)
     if (f.is_valid()):
-        influence = f.save()
-        return HttpResponseRedirect(reverse('influences_influence_detail', args=[influence.id]))
+        influence = f.save(commit=False)
+       if (influence.character.player == request.user):
+               influence.save()
+               return HttpResponseRedirect(reverse('influences_influence_detail', args=[influence.id]))
+       else:
+               # TODO: Make this a bit more pretty. Perhaps throw an exception here and add some middleware to catch it?
+               return HttpResponseForbidden("Forbidden -- Trying to submit influence for somebody else's character")
      
     # Only allow characters of the current user
     f.fields['character']._set_queryset(chars)