Check if user is allowed to edit

2015-06-04 21:36:57 +02:00 · 2015-06-04 21:36:57 +02:00 · 3d5f6ef1ae
commit 3d5f6ef1ae
parent 333a7ec5ec
1 changed files with 2 additions and 0 deletions
--- a/app/views/order.py
+++ b/app/views/order.py
@ -53,6 +53,8 @@ def order(id, form=None):
@login_required
 def order_edit(id):
    order = Order.query.filter(Order.id == id).first()
+    if current_user.id is not order.courrier_id and not current_user.is_admin():
+        abort(401)
    if order is None:
        abort(404)
    orderForm = OrderForm(obj=order)