added conditional to check user in finalize_report()

2019-03-08 21:49:43 -08:00 · 2019-03-08 21:49:43 -08:00 · dce18a5e28
commit dce18a5e28
parent f8d08ae7fd
1 changed files with 4 additions and 0 deletions
--- a/back/backend/views.py
+++ b/back/backend/views.py
@ -241,6 +241,10 @@ def finalize_report(request, report_pk):
    :param report_pk: report ID
    :return: JSON response containing user message
    """
+    # Check that the user owns the report
+    if not user_owns_report(user=request.user, report=report_pk):
+        return JsonResponse({"message": "Current user does not own the specified report."}, status=401)
+
    r = Report.objects.get(id=report_pk)
    if r.submitted:
        return JsonResponse({"message": "Cannot submit a report that has already been submitted."}, status=409)