fixed security hole

2025-07-12 05:50:16 +02:00 · 2016-02-24 12:19:34 -06:00 · 2016-02-24 12:19:34 -06:00 · a77e007f5b
commit a77e007f5b
parent 80e8f9ca4d
1 changed files with 6 additions and 5 deletions
--- a/notifications/views.py
+++ b/notifications/views.py
@ -33,8 +33,9 @@ def notification_view(request, notif_id):
@login_required
 def remove_notification(request, notif_id):
    logger.debug("remove notification called by user %s for notif_id %s" % (request.user, notif_id))
-    if Notification.objects.filter(id=notif_id).exists():
    notif = get_object_or_404(Notification, pk=notif_id)
+    if notif.user == request.user:
+        if Notification.objects.filter(id=notif_id).exists():
            notif.delete()
            logger.info("Deleting notif id %s by user %s" % (notif_id, request.user))
    else: