reputation: check if post really belong to user

--HG-- branch : stable
2012-06-16 12:45:32 +03:00 · 2012-06-16 12:45:32 +03:00 · d7658490b3
commit d7658490b3
parent b8e27133d7
2 changed files with 6 additions and 1 deletions
--- a/.hgsubstate
+++ b/.hgsubstate
@ -1 +1 @@
-0f1fddaeb9771a8e0aeae35c8cd66e24058c0bcc projects
+07a9dad465bbd8654713e8d9d0479b83a1097be6 projects
--- a/djangobb_forum/forms.py
+++ b/djangobb_forum/forms.py
@ -351,6 +351,11 @@ class ReputationForm(forms.ModelForm):
            pass
        else:
            raise forms.ValidationError(_('You already voted for this post'))
+        
+        # check if this post really belong to `from_user`
+        if not Post.objects.filter(pk=self.cleaned_data['post'].id, user=self.to_user).exists():
+            raise forms.ValidationError(_('This post does\'t belong to this user'))
+
        return self.cleaned_data