Skip to content
Snippets Groups Projects
Commit 8af8908b authored by f00wl's avatar f00wl Committed by ornanovitch
Browse files

fix(sec): protect transition route

parent 9dfca70b
No related branches found
No related tags found
No related merge requests found
......@@ -179,11 +179,12 @@ def action(profile_uuid, action):
@blueprint.route("/transition/<profile_uuid>/<transition_id>", methods=["GET", "POST"])
@security.authentication_required()
@security.confirmation_required("change the profile status")
def start_transition(profile_uuid, transition_id):
profile = models.Profile.query.get(profile_uuid) or flask.abort(404)
transition = profile.TRANSITIONS.get(transition_id) or flask.abort(404)
transition.authorized(profile)
authorized = transition.authorized(profile) or flask.abort(403)
profile.transition = transition_id
profile.transition_step = models.Profile.INIT
profile.transition_time = datetime.datetime.now() + datetime.timedelta(seconds=transition.delay)
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment