fix a few major permission holes
This commit is contained in:
@@ -608,6 +608,10 @@ class QuestionClone(AnatomyQuestionCreateBase):
|
||||
def get_initial(self):
|
||||
# print(self.request)
|
||||
old_object = get_object_or_404(AnatomyQuestion, pk=self.kwargs["pk"])
|
||||
|
||||
if self.request.user not in old_object.get_author_objects() and not self.request.user.is_superuser:
|
||||
raise PermissionDenied() # or Http404
|
||||
|
||||
initial_data = model_to_dict(old_object, exclude=["id"])
|
||||
|
||||
# We don't want to clone the exam details
|
||||
|
||||
Reference in New Issue
Block a user