From 3d2ba33917b5b72a5eaf57a3843ee9c8033d15c9 Mon Sep 17 00:00:00 2001
From: René 'Necoro' Neumann <necoro@necoro.net>
Date: Wed, 16 Oct 2013 01:31:03 +0200
Subject: Check user's authorisation when loading entries by ID.

---
 app/views/__init__.py |  4 ++--
 app/views/consts.py   | 10 ++++++++--
 app/views/expenses.py |  5 ++++-
 3 files changed, 14 insertions(+), 5 deletions(-)

(limited to 'app/views')

diff --git a/app/views/__init__.py b/app/views/__init__.py
index c9d9e8f..8737d07 100644
--- a/app/views/__init__.py
+++ b/app/views/__init__.py
@@ -7,14 +7,14 @@ from .. import app, db
 # Some general imports
 #
 from ..login import current_user, login_required
-from ..utils import templated, redirect
+from ..utils import templated, redirect, assert_authorisation
 from ..flask_extend import Blueprint
 from flask import flash
 
 __all__ = [
     'db', 'app',
     'current_user', 'login_required',
-    'templated', 'redirect',
+    'assert_authorisation', 'templated', 'redirect',
     'Blueprint', 'flash',
     'request', 'url_for'
 ]
diff --git a/app/views/consts.py b/app/views/consts.py
index 20b3db1..0dcec57 100644
--- a/app/views/consts.py
+++ b/app/views/consts.py
@@ -1,12 +1,15 @@
 from . import Blueprint, db, \
         current_user, login_required, \
-        templated, redirect, request
+        assert_authorisation, templated, redirect, request
 
 from ..model import Category, ConstExpense
 from ..forms import ConstForm, today
 
 import datetime
 from sqlalchemy import sql
+from functools import partial
+
+assert_authorisation = partial(assert_authorisation, ConstExpense.get)
 
 mod = Blueprint('consts', __name__)
 
@@ -53,18 +56,20 @@ def list ():
 
 @mod.route('/<int:id>')
 @login_required
+@assert_authorisation('id')
 @templated()
 def show(id):
     return { 'exp': ConstExpense.get(id) }
 
 @mod.route('/edit/<int:id>', methods=('GET', 'POST'))
 @login_required
+@assert_authorisation('id')
 @templated()
 def edit(id):
     exp = ConstExpense.get(id)
     form = const_form(exp)
 
-    if request.method == 'POST':
+    if form.is_submitted():
         if 'deleteB' in request.form:
             db.session.delete(exp)
             db.session.commit()
@@ -79,6 +84,7 @@ def edit(id):
 
 @mod.route('/add/from/<int:other>')
 @login_required
+@assert_authorisation('other')
 @templated('.add')
 def add_from(other):
     exp = ConstExpense() # needed to initialize 'CE.next'
diff --git a/app/views/expenses.py b/app/views/expenses.py
index f5181e9..f36cbb4 100644
--- a/app/views/expenses.py
+++ b/app/views/expenses.py
@@ -1,13 +1,15 @@
 from . import Blueprint, db, \
         current_user, login_required, \
-        templated, redirect, request
+        assert_authorisation, templated, redirect, request
 
 from ..model import Category, SingleExpense, CatExpense, MonthExpense
 from ..forms import ExpenseForm
 
 import datetime, decimal
 from sqlalchemy import sql, func
+from functools import partial
 
+assert_authorisation = partial(assert_authorisation, SingleExpense.get)
 mod = Blueprint('expenses', __name__)
 
 def expense_form(obj=None):
@@ -82,6 +84,7 @@ def show():
 
 @mod.route('/edit/<int:id>', methods=('GET', 'POST'))
 @login_required
+@assert_authorisation('id')
 @templated()
 def edit(id):
     exp = SingleExpense.get(id)
-- 
cgit v1.2.3-70-g09d2