Commit ddbc8e41 authored by Yuri Konotopov's avatar Yuri Konotopov

extensions: properly check user permissions for media upload

parent 24ae1124
Pipeline #183284 passed with stage
in 5 minutes and 30 seconds
......@@ -346,6 +346,9 @@ def ajax_inline_edit_view(request, extension):
@require_POST
@model_view(models.Extension)
def ajax_upload_screenshot_view(request, extension):
if not extension.user_can_edit(request.user):
return HttpResponseForbidden()
extension.screenshot = request.FILES['file']
extension.save(replace_metadata_json=False)
return extension.screenshot.url
......@@ -354,6 +357,9 @@ def ajax_upload_screenshot_view(request, extension):
@require_POST
@model_view(models.Extension)
def ajax_upload_icon_view(request, extension):
if not extension.user_can_edit(request.user):
return HttpResponseForbidden()
extension.icon = request.FILES['file']
extension.save(replace_metadata_json=False)
return extension.icon.url
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment