From eea90a606ff07948f3a20a58222db945ff840dc9 Mon Sep 17 00:00:00 2001
From: esensar <esarajcic1@etf.unsa.ba>
Date: Thu, 20 Sep 2018 15:19:41 +0200
Subject: [PATCH] Protect dashboards from unauthorized access

---
 app/api/resources/dashboard.py | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/app/api/resources/dashboard.py b/app/api/resources/dashboard.py
index e3d295f..d8fafd1 100644
--- a/app/api/resources/dashboard.py
+++ b/app/api/resources/dashboard.py
@@ -1,4 +1,5 @@
 from flask import g
+from flask_restful import abort
 from marshmallow import Schema, fields
 from webargs.flaskparser import use_args
 from flasgger import swag_from
@@ -23,12 +24,20 @@ class DashboardsSchema(Schema):
 class DashboardResource(ProtectedResource):
     @swag_from('swagger/get_dashboard_spec.yaml')
     def get(self, dashboard_id):
+        requested_dashboard = dashboard.get_dashboard(dashboard_id)
+        if requested_dashboard.account_id != g.current_account.id:
+            abort(403, message='You are not allowed to access this dashboard',
+                  status='error')
         return DashboardWrapperSchema().dump(
-                {'dashboard': dashboard.get_dashboard(dashboard_id)}), 200
+                {'dashboard': requested_dashboard}), 200
 
     @use_args(DashboardWrapperSchema())
     @swag_from('swagger/update_dashboard_spec.yaml')
     def put(self, dashboard_id, args):
+        requested_dashboard = dashboard.get_dashboard(dashboard_id)
+        if requested_dashboard.account_id != g.current_account.id:
+            abort(403, message='You are not allowed to access this dashboard',
+                  status='error')
         args = args['dashboard']
         success = dashboard.update_dashboard(
                 dashboard_id,