From d245e58990568c10cbcdf980299eba1574ebc454 Mon Sep 17 00:00:00 2001 From: Oliver Walters Date: Sun, 5 May 2019 09:14:12 +1000 Subject: [PATCH] Only allow PartStar creation for the currently authenticated user --- InvenTree/part/api.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/InvenTree/part/api.py b/InvenTree/part/api.py index d248edac98..b309284ba0 100644 --- a/InvenTree/part/api.py +++ b/InvenTree/part/api.py @@ -6,8 +6,10 @@ Provides a JSON API for the Part app from __future__ import unicode_literals from django_filters.rest_framework import DjangoFilterBackend + from rest_framework import filters from rest_framework import generics, permissions +from rest_framework.serializers import ValidationError from django.db.models import Q from django.conf.urls import url, include @@ -161,6 +163,16 @@ class PartStarList(generics.ListCreateAPIView): queryset = PartStar.objects.all() serializer_class = PartStarSerializer + def create(self, request, *args, **kwargs): + + # Ensure the 'user' field is the authenticated user + user_id = request.data['user'] + + if not str(user_id) == str(request.user.id): + raise ValidationError({'user': 'Parts can only be starred for the currently authenticated user'}) + + return super(generics.ListCreateAPIView, self).create(request, *args, **kwargs) + permission_classes = [ permissions.IsAuthenticatedOrReadOnly, ]