[OK] import/export terms table: check user credentials before change

0fa9e74a · Romain Loth · 86820641 · 0fa9e74a
Commit 0fa9e74a authored Jun 20, 2016 by Romain Loth
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 2 deletions

ngramlists.py gargantext/views/api/ngramlists.py +10 -2

No files found.
--- a/gargantext/views/api/ngramlists.py
+++ b/gargantext/views/api/ngramlists.py
@@ -66,14 +66,22 @@ class CSVLists(APIView):


        /!\ We assume we checked the file size client-side before upload
-
-        £TODO check authentication and user.id
        """
+        if not request.user.is_authenticated():
+            res = HttpResponse("Unauthorized")
+            res.status_code = 401
+            return res
+
        # this time the corpus param is the one with the target lists to be patched
        params = get_parameters(request)
        corpus_id = int(params.pop("onto_corpus"))
        corpus_node = cache.Node[corpus_id]

+        if request.user.id != corpus_node.user_id:
+            res = HttpResponse("Unauthorized")
+            res.status_code = 401
+            return res
+
        # request also contains the file
        # csv_file has type django.core.files.uploadedfile.InMemoryUploadedFile
        #                                                 ----------------------