Fixes: #194
Fixes: CVE-2015-5301
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
message_type=message_type)
def delete(self):
message_type=message_type)
def delete(self):
+ if (not self.user.is_admin and
+ self.user.name != self.sp.owner):
+ raise cherrypy.HTTPError(403)
self.parent.del_sp(self.sp.name)
self.sp.permanently_delete()
return self.parent.root()
self.parent.del_sp(self.sp.name)
self.sp.permanently_delete()
return self.parent.root()