fix a few major permission holes

This commit is contained in:
Ross
2023-12-04 12:19:52 +00:00
parent f346a69bb5
commit 976f57ac20
14 changed files with 77 additions and 36 deletions
+4
View File
@@ -608,6 +608,10 @@ class QuestionClone(AnatomyQuestionCreateBase):
def get_initial(self):
# print(self.request)
old_object = get_object_or_404(AnatomyQuestion, pk=self.kwargs["pk"])
if self.request.user not in old_object.get_author_objects() and not self.request.user.is_superuser:
raise PermissionDenied() # or Http404
initial_data = model_to_dict(old_object, exclude=["id"])
# We don't want to clone the exam details