From d02939140ea769de0d844b82ea6a2082aba4dd57 Mon Sep 17 00:00:00 2001
From: Gertjan van den Burg <gertjanvandenburg@gmail.com>
Date: Wed, 27 Mar 2019 12:58:17 +0000
Subject: Add extra validation to task access

---
 app/main/routes.py | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

(limited to 'app/main')

diff --git a/app/main/routes.py b/app/main/routes.py
index 7e9505a..1495e35 100644
--- a/app/main/routes.py
+++ b/app/main/routes.py
@@ -86,8 +86,15 @@ def task(task_id):
 
     task = Task.query.filter_by(id=task_id).first()
     if task is None:
-        flash("No task with id %r has been assigned to you." % task_id, 
-        "error")
+        flash("No task with id %r exists." % task_id, "error")
+        return redirect(url_for("main.index"))
+    if not task.annotator_id == current_user.id:
+        flash(
+            "No task with id %r has been assigned to you." % task_id, "error"
+        )
+        return redirect(url_for("main.index"))
+    if task.done:
+        flash("It's not possible to edit annotations at the moment.")
         return redirect(url_for("main.index"))
     data = load_data_for_chart(task.dataset.name)
     return render_template(
-- 
cgit v1.2.3