From 7882b767049315231f173618eeb0d0962d4e4a95 Mon Sep 17 00:00:00 2001
From: Lova Andriarimalala <43842786+Xpirix@users.noreply.github.com>
Date: Thu, 21 Nov 2024 08:41:14 +0300
Subject: [PATCH] Fix security vulnerability for Hub API

---
 qgis-app/api/views.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/qgis-app/api/views.py b/qgis-app/api/views.py
index b60b2a69..eb37e73f 100644
--- a/qgis-app/api/views.py
+++ b/qgis-app/api/views.py
@@ -422,7 +422,7 @@ def get(self, request, *args, **kwargs):
         object = _get_resource_object(uuid, resource_type)
         if object is None:
             raise Http404
-        if not object.creator.is_staff and object.creator != request.user:
+        if not request.user.is_superuser and object.creator != request.user:
             return Response(
                 {"detail": "You do not have permission to perform this action."},
                 status=status.HTTP_403_FORBIDDEN,
@@ -436,7 +436,7 @@ def put(self, request, *args, **kwargs):
         object = _get_resource_object(uuid, resource_type)
         if object is None:
             raise Http404
-        if not object.creator.is_staff and object.creator != request.user:
+        if not request.user.is_superuser and object.creator != request.user:
             return Response(
                 {"detail": "You do not have permission to perform this action."},
                 status=status.HTTP_403_FORBIDDEN,
@@ -453,7 +453,7 @@ def delete(self, request, *args, **kwargs):
         object = _get_resource_object(uuid, resource_type)
         if object is None:
             raise Http404
-        if not object.creator.is_staff and object.creator != request.user:
+        if not request.user.is_superuser and object.creator != request.user:
             return Response(
                 {"detail": "You do not have permission to perform this action."},
                 status=status.HTTP_403_FORBIDDEN,