Conservancy/reimbursinator
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

added conditional to check user in finalize_report()

Browse source
This commit is contained in:
Rupika 2019-03-08 21:49:43 -08:00
parent f8d08ae7fd
commit dce18a5e28
1 changed files with 4 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
back/backend/views.py
View file

@ -241,6 +241,10 @@ def finalize_report(request, report_pk):
:param report_pk: report ID :param report_pk: report ID
:return: JSON response containing user message :return: JSON response containing user message
""" """
# Check that the user owns the report
if not user_owns_report(user=request.user, report=report_pk):
return JsonResponse({"message": "Current user does not own the specified report."}, status=401)
r = Report.objects.get(id=report_pk) r = Report.objects.get(id=report_pk)
if r.submitted: if r.submitted:
return JsonResponse({"message": "Cannot submit a report that has already been submitted."}, status=409) return JsonResponse({"message": "Cannot submit a report that has already been submitted."}, status=409)