Add permission check for job deletion.

This commit is contained in:
Patrick Jentsch 2019-11-04 11:04:42 +01:00
parent e1225c95bf
commit eea0f4635d

View File

@ -20,10 +20,11 @@ def job(job_id):
@jobs.route('/<int:job_id>/delete') @jobs.route('/<int:job_id>/delete')
@login_required @login_required
def delete_job(job_id): def delete_job(job_id):
delete_thread = threading.Thread( job = Job.query.get_or_404(job_id)
target=background_delete_job, if not (job.creator == current_user or current_user.is_administrator()):
args=(current_app._get_current_object(), job_id) abort(403)
) delete_thread = threading.Thread(target=background_delete_job,
args=(current_app, job_id))
delete_thread.start() delete_thread.start()
flash('Job has been deleted!') flash('Job has been deleted!')
return redirect(url_for('main.dashboard')) return redirect(url_for('main.dashboard'))