Prevent any user from updating public bundles

Currently, the web UI allows any logged in user to remove patches from
public bundles. However the correct behaviour is that only the owner of
the bundle should be allowed to update a bundle.

Fix that by adding checks in set_bundle() before adding or removing
patches from bundles.

Signed-off-by: Abdun Nihaal <abdun.nihaal@gmail.com>
Closes: #599

diff --git a/patchwork/views/__init__.py b/patchwork/views/__init__.py
index db484c79960d0e645496633e2481df42e0aab2a5..92adbbccdefb703168c56905eb6654510230671e 100644 (file)
--- a/patchwork/views/__init__.py
+++ b/patchwork/views/__init__.py
@@ -135,9 +135,13 @@ def set_bundle(request, project, action, data, patches):
         if not data['bundle_id']:
             return ['No bundle was selected']
         bundle = get_object_or_404(Bundle, id=data['bundle_id'])
+        if request.user != bundle.owner:
+            return ["You don't have permissions to add patches to bundle"]
         add_bundle_patches(request, patches, bundle)
     elif action == 'remove':
         bundle = get_object_or_404(Bundle, id=data['removed_bundle_id'])
+        if request.user != bundle.owner:
+            return ["You don't have permissions to remove patches from bundle"]
         for patch in patches:
             try:
                 bp = BundlePatch.objects.get(bundle=bundle, patch=patch)