Make sure that users can't impersonate each other when creating pins

We weren't checking if the Pin submitter is the logged user which made it possible to pass any submitter to the Pin resource create call. Fix it, and make the submitter optional.
2025-11-13 16:45:41 +01:00 · 2013-04-05 19:34:31 +02:00
parent 3b10868832
commit c0bf9d992e
2 changed files with 40 additions and 1 deletions
--- a/pinry/core/api.py
+++ b/pinry/core/api.py
@@ -100,6 +100,20 @@ class PinResource(ModelResource):
            bundle.data['image'] = '/api/v1/image/{}/'.format(image.pk)
        return bundle

+    def hydrate(self, bundle):
+        """Run some early/generic processing
+
+        Make sure that user is authorized to create Pins first, before
+        we hydrate the Image resource, creating the Image object in process
+        """
+        submitter = bundle.data.get('submitter', None)
+        if not submitter:
+            bundle.data['submitter'] = '/api/v1/user/{}/'.format(bundle.request.user.pk)
+        else:
+            if not '/api/v1/user/{}/'.format(bundle.request.user.pk) == submitter:
+                raise Unauthorized("You are not authorized to create Pins for other users")
+        return bundle
+
    def dehydrate_tags(self, bundle):
        return map(str, bundle.obj.tags.all())