Add flaw 1: Broken Access Control

2024-11-25 16:33:17 +02:00 · 2024-11-25 16:33:17 +02:00 · 05fec8a837
commit 05fec8a837
parent 9e55b0a1ed
2 changed files with 18 additions and 4 deletions
--- a/notes/views.py
+++ b/notes/views.py
@ -36,10 +36,12 @@ def add(request):
@login_required()
 def remove(request, note_id):
    if request.method == 'POST':
-        user = request.user
        note = Note.objects.get(pk=note_id)
-        if user == note.owner:
-            note.delete()
+# FLAW 1:
+# Adding an ownership check would fix the problem
+#        user = request.user
+#        if user == note.owner:
+        note.delete()

    return HttpResponseRedirect(request.META.get('HTTP_REFERER', 'index'))