Fix Big Security Bug: check if user own form in edit view and read id of edited event from url instead of form.

I'm retarded.

Author: chaosagent

forms.py

@@ -58,7 +58,3 @@ class EventForm(Form):
     def validate_link(self, field):
         if not any(field.data.startswith(prefix) for prefix in [u'http://', u'https://']):
             raise ValidationError('Invalid link')
-
-
-class EventUpdateForm(EventForm):
-    id = HiddenField()

static/css/calendar.css

@@ -1,3 +1,4 @@
+
 #timeline #ctf_schedule {
     /* min-height: 400px; */
     position: relative;

templates/events/manage.html

@@ -12,13 +12,13 @@
                     <h2 class="panel-title">Manage Event</h2>
                 </div>
                 <div class="panel-body">
-                    <form class="form-horizontal" method="POST" id="event_manage_form">
-                        {{ event_manage_form.csrf_token }}
-                        {% if event_manage_form.errors %}
+                    <form class="form-horizontal" method="POST" id="event_form">
+                        {{ event_form.csrf_token }}
+                        {% if event_form.errors %}
                             <div class="alert alert-danger">
                                 <ul>
                                     Please correct the following errors.
-                                    {% for field in event_manage_form %}
+                                    {% for field in event_form %}
                                         {% if field.errors %}
                                             {% for error in field.errors %}
                                                 <li>{{ error }}</li>
@@ -32,8 +32,7 @@ <h2 class="panel-title">Manage Event</h2>
                             <div id="login_msg"></div>
                         </fieldset>
                         <fieldset class="container-fluid">
-                            {{ event_manage_form.id() }}
-                            {% for field in event_manage_form if field.id != 'csrf_token' and field.id != 'id' %}
+                            {% for field in event_form if field.id != 'csrf_token' and field.id != 'id' %}
                                 <div class="row">
                                     <div class="col-sm-12 form-group">
                                         {{ field.label(class_="col-sm-3 control-label") }}

views/events.py

@@ -1,9 +1,9 @@
 import json
 
-from flask import Blueprint, redirect, render_template, url_for, flash
+from flask import abort, Blueprint, redirect, render_template, url_for, flash
 from flask_login import current_user, login_required
 
-from forms import EventForm, EventUpdateForm
+from forms import EventForm
 from models import db, Event
 from util import admin_required, isoformat
 
@@ -110,8 +110,10 @@ def events_approve(event_id):
 @login_required
 def events_manage(event_id):
     event = Event.query.get_or_404(event_id)
-    event_manage_form = EventUpdateForm(obj=event)
-    if event_manage_form.validate_on_submit():
-        event_manage_form.populate_obj(event)
-        return redirect(url_for('.events_detail', event_id=event.id))
-    return render_template('events/manage.html', event_manage_form=event_manage_form)
+    if current_user != event.owner:
+        abort(403)
+    event_form = EventForm(obj=event)
+    if event_form.validate_on_submit():
+        event_form.populate_obj(event)
+        return redirect(url_for('.events_detail', event_id=event_id))
+    return render_template('events/manage.html', event_form=event_form)