diff options
| author | René 'Necoro' Neumann <necoro@necoro.net> | 2013-10-16 01:31:03 +0200 |
|---|---|---|
| committer | René 'Necoro' Neumann <necoro@necoro.net> | 2013-10-16 01:31:03 +0200 |
| commit | 3d2ba33917b5b72a5eaf57a3843ee9c8033d15c9 (patch) | |
| tree | 19834310851470302a47dbe3a7b69f170fb97797 /app/views | |
| parent | d64e80b53fa82af41c6e49b9de08632348c3527a (diff) | |
| download | kosten-3d2ba33917b5b72a5eaf57a3843ee9c8033d15c9.tar.gz kosten-3d2ba33917b5b72a5eaf57a3843ee9c8033d15c9.tar.bz2 kosten-3d2ba33917b5b72a5eaf57a3843ee9c8033d15c9.zip | |
Check user's authorisation when loading entries by ID.
Diffstat (limited to 'app/views')
| -rw-r--r-- | app/views/__init__.py | 4 | ||||
| -rw-r--r-- | app/views/consts.py | 10 | ||||
| -rw-r--r-- | app/views/expenses.py | 5 |
3 files changed, 14 insertions, 5 deletions
diff --git a/app/views/__init__.py b/app/views/__init__.py index c9d9e8f..8737d07 100644 --- a/app/views/__init__.py +++ b/app/views/__init__.py @@ -7,14 +7,14 @@ from .. import app, db # Some general imports # from ..login import current_user, login_required -from ..utils import templated, redirect +from ..utils import templated, redirect, assert_authorisation from ..flask_extend import Blueprint from flask import flash __all__ = [ 'db', 'app', 'current_user', 'login_required', - 'templated', 'redirect', + 'assert_authorisation', 'templated', 'redirect', 'Blueprint', 'flash', 'request', 'url_for' ] diff --git a/app/views/consts.py b/app/views/consts.py index 20b3db1..0dcec57 100644 --- a/app/views/consts.py +++ b/app/views/consts.py @@ -1,12 +1,15 @@ from . import Blueprint, db, \ current_user, login_required, \ - templated, redirect, request + assert_authorisation, templated, redirect, request from ..model import Category, ConstExpense from ..forms import ConstForm, today import datetime from sqlalchemy import sql +from functools import partial + +assert_authorisation = partial(assert_authorisation, ConstExpense.get) mod = Blueprint('consts', __name__) @@ -53,18 +56,20 @@ def list (): @mod.route('/<int:id>') @login_required +@assert_authorisation('id') @templated() def show(id): return { 'exp': ConstExpense.get(id) } @mod.route('/edit/<int:id>', methods=('GET', 'POST')) @login_required +@assert_authorisation('id') @templated() def edit(id): exp = ConstExpense.get(id) form = const_form(exp) - if request.method == 'POST': + if form.is_submitted(): if 'deleteB' in request.form: db.session.delete(exp) db.session.commit() @@ -79,6 +84,7 @@ def edit(id): @mod.route('/add/from/<int:other>') @login_required +@assert_authorisation('other') @templated('.add') def add_from(other): exp = ConstExpense() # needed to initialize 'CE.next' diff --git a/app/views/expenses.py b/app/views/expenses.py index f5181e9..f36cbb4 100644 --- a/app/views/expenses.py +++ b/app/views/expenses.py @@ -1,13 +1,15 @@ from . import Blueprint, db, \ current_user, login_required, \ - templated, redirect, request + assert_authorisation, templated, redirect, request from ..model import Category, SingleExpense, CatExpense, MonthExpense from ..forms import ExpenseForm import datetime, decimal from sqlalchemy import sql, func +from functools import partial +assert_authorisation = partial(assert_authorisation, SingleExpense.get) mod = Blueprint('expenses', __name__) def expense_form(obj=None): @@ -82,6 +84,7 @@ def show(): @mod.route('/edit/<int:id>', methods=('GET', 'POST')) @login_required +@assert_authorisation('id') @templated() def edit(id): exp = SingleExpense.get(id) |