From e4665fac4b0c5c55c755702684302c8d83e333f8 Mon Sep 17 00:00:00 2001 From: jh-RLI Date: Tue, 18 Mar 2025 13:35:54 +0100 Subject: [PATCH] add user perm check on backend when deleing a tag to avoid issue with inserting html (like delete button) --- dataedit/views.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/dataedit/views.py b/dataedit/views.py index 5cb55bcdf..a3494e6f7 100644 --- a/dataedit/views.py +++ b/dataedit/views.py @@ -668,6 +668,9 @@ def change_tag(request): # requested changes are not valid because of name conflicts status = "invalid" + if not request.user.has_admin_permissions(): + raise PermissionDenied + elif "submit_delete" in request.POST: id = request.POST["tag_id"] delete_tag(id)