Security fix.

Don't allow editing anything but the current posting.
zerothabhishek · Mar 8, 2011 · f6b9847 · f6b9847
1 parent ef6d232
commit f6b9847
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 5 deletions.
diff --git a/forms.py b/forms.py
@@ -15,7 +15,7 @@ class PostingForm(Form):
     job_how_to_apply = TextAreaField("How to apply", validators=[Required()])
     company_name = TextField("Company name")
     company_logo = FileField("Logo")
-    company_url = TextField("URL", validators=[Required(), URL()])
+    company_url = TextField("URL", validators=[URL()])
     poster_email = TextField("Email", validators=[Required(), Email()])
 
 class ConfirmForm(Form):

diff --git a/models.py b/models.py
@@ -35,9 +35,9 @@ class JobPost(db.Model):
     how_to_apply = db.Column(db.Unicode, nullable=False)
 
     # Company details
-    company_name = db.Column(db.Unicode(80), nullable=False)
+    company_name = db.Column(db.Unicode(80), nullable=False, default='')
     company_logo = db.Column(db.LargeBinary, nullable=True) # TODO: Images in the db?
-    company_url = db.Column(db.Unicode(255), nullable=False)
+    company_url = db.Column(db.Unicode(255), nullable=False, default='')
     email = db.Column(db.Unicode(80), nullable=False)
 
     # Payment, audit and workflow fields

diff --git a/views.py b/views.py
@@ -26,7 +26,7 @@ def jobdetail(hashid):
     if post is None:
         abort(404)
     if post.status == POSTSTATUS.DRAFT:
-        if 'userid' not in session or session['userid'] != post.email:
+        if 'userkey' not in session or session['userkey'] != post.email_verify_key:
             abort(403)
     if post.status == POSTSTATUS.REJECTED:
         abort(403) # TODO: Present an error message
@@ -62,7 +62,7 @@ def editjob(hashid, key, form=None, post=None):
         post.email = form.poster_email.data
 
         db.session.commit()
-        session['userid'] = post.email
+        session['userkey'] = post.email_verify_key
         return redirect(url_for('jobdetail', hashid=post.hashid), code=303)
 
     elif request.method == 'GET':