Only let you delete your own posts

author: Andrew Godwin 2022-11-27 00:55:19 -0700
committer: Andrew Godwin 2022-11-27 00:55:19 -0700
commit: 0f77f0ba9607c31148fa7d4aa44a77cc26288661 (patch)
tree: ef3b845b2bf0f4c9652776fbf369bd4248999c56 /activities/views
parent: 9cd1fccde5454435299069c32ef57513ae886995 (diff)
download: takahe-0f77f0ba9607c31148fa7d4aa44a77cc26288661.tar.gz
takahe-0f77f0ba9607c31148fa7d4aa44a77cc26288661.tar.bz2
takahe-0f77f0ba9607c31148fa7d4aa44a77cc26288661.zip
1 files changed, 4 insertions, 1 deletions
diff --git a/activities/views/posts.py b/activities/views/posts.py
index e1609cc..59b1f56 100644
--- a/activities/views/posts.py
+++ b/activities/views/posts.py
@@ -1,5 +1,5 @@
 from django import forms
-from django.http import JsonResponse
+from django.http import Http404, JsonResponse
 from django.shortcuts import get_object_or_404, redirect, render
 from django.utils.decorators import method_decorator
 from django.views.generic import FormView, TemplateView, View
@@ -145,6 +145,9 @@ class Delete(TemplateView):
     def dispatch(self, request, handle, post_id):
         self.identity = by_handle_or_404(self.request, handle, local=False)
         self.post_obj = get_object_or_404(self.identity.posts, pk=post_id)
+        # Make sure the request identity owns the post!
+        if self.post_obj.author != request.identity:
+            raise Http404("Post author is not requestor")
         return super().dispatch(request)
 
     def get_context_data(self):
author	Andrew Godwin	2022-11-27 00:55:19 -0700
committer	Andrew Godwin	2022-11-27 00:55:19 -0700
commit	0f77f0ba9607c31148fa7d4aa44a77cc26288661 (patch)
tree	ef3b845b2bf0f4c9652776fbf369bd4248999c56 /activities/views
parent	9cd1fccde5454435299069c32ef57513ae886995 (diff)
download	takahe-0f77f0ba9607c31148fa7d4aa44a77cc26288661.tar.gz takahe-0f77f0ba9607c31148fa7d4aa44a77cc26288661.tar.bz2 takahe-0f77f0ba9607c31148fa7d4aa44a77cc26288661.zip