Add permission check for job deletion.

2025-11-04 04:12:45 +00:00 · 2019-11-04 11:04:42 +01:00
parent e1225c95bf
commit eea0f4635d
1 changed files with 5 additions and 4 deletions
--- a/app/jobs/views.py
+++ b/app/jobs/views.py
@@ -20,10 +20,11 @@ def job(job_id):
@jobs.route('/<int:job_id>/delete')
@login_required
 def delete_job(job_id):
-    delete_thread = threading.Thread(
-        target=background_delete_job,
-        args=(current_app._get_current_object(), job_id)
-    )
+    job = Job.query.get_or_404(job_id)
+    if not (job.creator == current_user or current_user.is_administrator()):
+        abort(403)
+    delete_thread = threading.Thread(target=background_delete_job,
+                                     args=(current_app, job_id))
    delete_thread.start()
    flash('Job has been deleted!')
    return redirect(url_for('main.dashboard'))