Three fixes to collection adding view, one of them a serious security bug

 - Don't let people who aren't the authors of a collection from adding
   things to it (handled by forcing the user check in the query)
 - request url in case invalid collection selected fixed
 - collection_item.author doesn't yet exist; removing the selection
   (we might want multiple people to be able to edit a collection in
   the future but that future does not yet exist; as Elrond said,
   remove this "false hope")

Thanks to Elrond to pointing out these issues.

And thanks to David Kindler for sponsoring this commit!

diff --git a/mediagoblin/user_pages/views.py b/mediagoblin/user_pages/views.py
index 69d7defbc28e7916f0d60ad436261e37c732db5e..80919d4712a871cc73b56c1a0105ae370d744461 100644 (file)
--- a/mediagoblin/user_pages/views.py
+++ b/mediagoblin/user_pages/views.py
@@ -227,7 +227,8 @@ def media_collect(request, media):
     # Otherwise, use the collection selected from the drop-down
     else:
         collection = Collection.query.filter_by(
-            id=request.form.get('collection')).first()
+            id=request.form.get('collection'),
+            creator=request.user.id).first()
 
     # Make sure the user actually selected a collection
     if not collection:
@@ -236,7 +237,7 @@ def media_collect(request, media):
             _('You have to select or add a collection'))
         return redirect(request, "mediagoblin.user_pages.media_collect",
                     user=media.get_uploader.username,
-                    media=media.id)
+                    media_id=media.id)
 
 
     # Check whether media already exists in collection
@@ -250,7 +251,6 @@ def media_collect(request, media):
         collection_item = request.db.CollectionItem()
         collection_item.collection = collection.id
         collection_item.media_entry = media.id
-        collection_item.author = request.user.id
         collection_item.note = request.form['note']
         collection_item.save()