diff options
author | René 'Necoro' Neumann <necoro@necoro.net> | 2013-10-16 01:31:03 +0200 |
---|---|---|
committer | René 'Necoro' Neumann <necoro@necoro.net> | 2013-10-16 01:31:03 +0200 |
commit | 3d2ba33917b5b72a5eaf57a3843ee9c8033d15c9 (patch) | |
tree | 19834310851470302a47dbe3a7b69f170fb97797 /app/views/consts.py | |
parent | d64e80b53fa82af41c6e49b9de08632348c3527a (diff) | |
download | kosten-3d2ba33917b5b72a5eaf57a3843ee9c8033d15c9.tar.gz kosten-3d2ba33917b5b72a5eaf57a3843ee9c8033d15c9.tar.bz2 kosten-3d2ba33917b5b72a5eaf57a3843ee9c8033d15c9.zip |
Check user's authorisation when loading entries by ID.
Diffstat (limited to '')
-rw-r--r-- | app/views/consts.py | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/app/views/consts.py b/app/views/consts.py index 20b3db1..0dcec57 100644 --- a/app/views/consts.py +++ b/app/views/consts.py @@ -1,12 +1,15 @@ from . import Blueprint, db, \ current_user, login_required, \ - templated, redirect, request + assert_authorisation, templated, redirect, request from ..model import Category, ConstExpense from ..forms import ConstForm, today import datetime from sqlalchemy import sql +from functools import partial + +assert_authorisation = partial(assert_authorisation, ConstExpense.get) mod = Blueprint('consts', __name__) @@ -53,18 +56,20 @@ def list (): @mod.route('/<int:id>') @login_required +@assert_authorisation('id') @templated() def show(id): return { 'exp': ConstExpense.get(id) } @mod.route('/edit/<int:id>', methods=('GET', 'POST')) @login_required +@assert_authorisation('id') @templated() def edit(id): exp = ConstExpense.get(id) form = const_form(exp) - if request.method == 'POST': + if form.is_submitted(): if 'deleteB' in request.form: db.session.delete(exp) db.session.commit() @@ -79,6 +84,7 @@ def edit(id): @mod.route('/add/from/<int:other>') @login_required +@assert_authorisation('other') @templated('.add') def add_from(other): exp = ConstExpense() # needed to initialize 'CE.next' |