From 3d2ba33917b5b72a5eaf57a3843ee9c8033d15c9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9=20=27Necoro=27=20Neumann?= <necoro@necoro.net>
Date: Wed, 16 Oct 2013 01:31:03 +0200
Subject: Check user's authorisation when loading entries by ID.

---
 app/views/expenses.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'app/views/expenses.py')

diff --git a/app/views/expenses.py b/app/views/expenses.py
index f5181e9..f36cbb4 100644
--- a/app/views/expenses.py
+++ b/app/views/expenses.py
@@ -1,13 +1,15 @@
 from . import Blueprint, db, \
         current_user, login_required, \
-        templated, redirect, request
+        assert_authorisation, templated, redirect, request
 
 from ..model import Category, SingleExpense, CatExpense, MonthExpense
 from ..forms import ExpenseForm
 
 import datetime, decimal
 from sqlalchemy import sql, func
+from functools import partial
 
+assert_authorisation = partial(assert_authorisation, SingleExpense.get)
 mod = Blueprint('expenses', __name__)
 
 def expense_form(obj=None):
@@ -82,6 +84,7 @@ def show():
 
 @mod.route('/edit/<int:id>', methods=('GET', 'POST'))
 @login_required
+@assert_authorisation('id')
 @templated()
 def edit(id):
     exp = SingleExpense.get(id)
-- 
cgit v1.2.3