From a77e007f5b6cd90a18bee3ddaee5aab36bc44442 Mon Sep 17 00:00:00 2001
From: Mr McClain <orbitroom13@gmail.com>
Date: Wed, 24 Feb 2016 12:19:34 -0600
Subject: [PATCH] fixed security hole

---
 notifications/views.py | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/notifications/views.py b/notifications/views.py
index 98ecf5a8..c6252cb7 100644
--- a/notifications/views.py
+++ b/notifications/views.py
@@ -33,10 +33,11 @@ def notification_view(request, notif_id):
 @login_required
 def remove_notification(request, notif_id):
     logger.debug("remove notification called by user %s for notif_id %s" % (request.user, notif_id))
-    if Notification.objects.filter(id=notif_id).exists():
-        notif = get_object_or_404(Notification, pk=notif_id)
-        notif.delete()
-        logger.info("Deleting notif id %s by user %s" % (notif_id, request.user))
+    notif = get_object_or_404(Notification, pk=notif_id)
+    if notif.user == request.user:
+        if Notification.objects.filter(id=notif_id).exists():
+            notif.delete()
+            logger.info("Deleting notif id %s by user %s" % (notif_id, request.user))
     else:
         logger.error("Unable to delete notif id %s for user %s - notif matching id not found." % (notif_id, request.user))
-    return redirect('auth_notification_list')
\ No newline at end of file
+    return redirect('auth_notification_list')