From d5d0ad50fa33eb9e0fff32c24a0ce65f03bbc352 Mon Sep 17 00:00:00 2001
From: Ileana Maricel Barrionuevo <ilebarrionuevo@gmail.com>
Date: Wed, 21 Jul 2021 22:08:41 -0300
Subject: [PATCH] Fixed security issue: a user could edit others' shelves.

---
 cps/shelf.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/cps/shelf.py b/cps/shelf.py
index 431eeff8..9556ba66 100644
--- a/cps/shelf.py
+++ b/cps/shelf.py
@@ -235,6 +235,8 @@ def create_shelf():
 @login_required
 def edit_shelf(shelf_id):
     shelf = ub.session.query(ub.Shelf).filter(ub.Shelf.id == shelf_id).first()
+    if not shelf.user_id == int(current_user.id):
+        return "Sorry you are not allowed to edit this shelf", 403
     return create_edit_shelf(shelf, title=_(u"Edit a shelf"), page="shelfedit", shelf_id=shelf_id)