From 7431f23b67c8946b4e0b7568841415e493433e40 Mon Sep 17 00:00:00 2001 From: Seth Ladygo Date: Fri, 3 May 2019 18:10:08 -0700 Subject: [PATCH] get_catalog() limit to own or public catalogs --- catalogedit/views.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/catalogedit/views.py b/catalogedit/views.py index 9fa4c6a..8acee2f 100644 --- a/catalogedit/views.py +++ b/catalogedit/views.py @@ -1,4 +1,5 @@ from django.contrib import messages +from django.db.models import Q from django.http import HttpResponseRedirect, HttpResponse, JsonResponse from django.shortcuts import render, get_object_or_404 from django.urls import reverse @@ -31,7 +32,7 @@ def catalogedit(request, id=0): @login_required def get_catalog(request, id): - cat = get_object_or_404(Catalog, id=id) + cat = get_object_or_404(Catalog, Q(id=id) & (Q(owner=request.user) | Q(public=True))) return JsonResponse(cat.data, safe=False)