diff options
| author | Gertjan van den Burg <gertjanvandenburg@gmail.com> | 2019-03-27 12:58:17 +0000 |
|---|---|---|
| committer | Gertjan van den Burg <gertjanvandenburg@gmail.com> | 2019-03-27 12:58:17 +0000 |
| commit | d02939140ea769de0d844b82ea6a2082aba4dd57 (patch) | |
| tree | 8bc0b630e0330b346a46a12bca62221892a0cff3 | |
| parent | Remove v2 part of app name (diff) | |
| download | AnnotateChange-d02939140ea769de0d844b82ea6a2082aba4dd57.tar.gz AnnotateChange-d02939140ea769de0d844b82ea6a2082aba4dd57.zip | |
Add extra validation to task access
| -rw-r--r-- | app/main/routes.py | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/app/main/routes.py b/app/main/routes.py index 7e9505a..1495e35 100644 --- a/app/main/routes.py +++ b/app/main/routes.py @@ -86,8 +86,15 @@ def task(task_id): task = Task.query.filter_by(id=task_id).first() if task is None: - flash("No task with id %r has been assigned to you." % task_id, - "error") + flash("No task with id %r exists." % task_id, "error") + return redirect(url_for("main.index")) + if not task.annotator_id == current_user.id: + flash( + "No task with id %r has been assigned to you." % task_id, "error" + ) + return redirect(url_for("main.index")) + if task.done: + flash("It's not possible to edit annotations at the moment.") return redirect(url_for("main.index")) data = load_data_for_chart(task.dataset.name) return render_template( |