fix(sec): protect transition route

hiboo/profile/views.py

@@ -179,11 +179,12 @@ def action(profile_uuid, action):
 
 
 @blueprint.route("/transition/<profile_uuid>/<transition_id>", methods=["GET", "POST"])
+@security.authentication_required()
 @security.confirmation_required("change the profile status")
 def start_transition(profile_uuid, transition_id):
     profile = models.Profile.query.get(profile_uuid) or flask.abort(404)
     transition = profile.TRANSITIONS.get(transition_id) or flask.abort(404)
-    transition.authorized(profile)
+    authorized = transition.authorized(profile) or flask.abort(403)
     profile.transition = transition_id
     profile.transition_step = models.Profile.INIT
     profile.transition_time = datetime.datetime.now() + datetime.timedelta(seconds=transition.delay)