From cedceabe2ef054df3461a3c01e4eacaa79cf2673 Mon Sep 17 00:00:00 2001 From: Jeremy Zhang Date: Wed, 13 Sep 2017 21:51:32 +0000 Subject: [PATCH] Check user permissions when accepting a post request for administrating guilds --- webapp/titanembeds/blueprints/user/user.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/webapp/titanembeds/blueprints/user/user.py b/webapp/titanembeds/blueprints/user/user.py index c2570d1..a2735ce 100644 --- a/webapp/titanembeds/blueprints/user/user.py +++ b/webapp/titanembeds/blueprints/user/user.py @@ -223,6 +223,8 @@ def update_administrate_guild(guild_id): db_guild = db.session.query(Guilds).filter(Guilds.guild_id == guild_id).first() if not db_guild: abort(400) + if not check_user_permission(guild_id, 5): + abort(403) db_guild.unauth_users = request.form.get("unauth_users", db_guild.unauth_users) in ["true", True] db_guild.visitor_view = request.form.get("visitor_view", db_guild.visitor_view) in ["true", True] db_guild.webhook_messages = request.form.get("webhook_messages", db_guild.webhook_messages) in ["true", True]