fix a few major permission holes
This commit is contained in:
@@ -212,8 +212,12 @@ def rapid_clone(request, pk):
|
||||
new_item.pk = None # autogen a new pk (item_id)
|
||||
# new_item.name = "Copy of " + new_item.name #need to change uniques
|
||||
|
||||
if request.user not in new_item.get_author_objects() and not request.user.is_superuser:
|
||||
raise PermissionDenied() # or Http404
|
||||
|
||||
form = RapidForm(request.POST or None, instance=new_item)
|
||||
|
||||
|
||||
image_formset = ImageFormSet()
|
||||
answer_formset = AnswerFormSet()
|
||||
|
||||
|
||||
Reference in New Issue
Block a user