為了避免使用者用 key 存取他人資料，fetch/update/remove 都要核對 Email

3 files changed, 18 insertions, 1 deletions

diff --git a/access/fetch.py b/access/fetch.py
index d36c25b..170a7a7 100644
--- a/access/fetch.py
+++ b/access/fetch.py
@@ -35,11 +35,20 @@ def XMLBuildCalEvent(calevent, entry):
 
 class FetchEvent(webapp2.RequestHandler):
 	def get(self):		# GET 適用於已知 key 的狀況
+		guserid = users.get_current_user()
+		if not guserid:
+			return
+		
 		mykey = self.request.get('key')
 		eventroot = etree.Element('inccalender')
 		calevent = etree.SubElement(eventroot, 'calevent')
 		entrykey = db.Key(mykey)
+		if entrykey.parent().name() != guserid.email():
+			self.response.set_status(403)
+			return
+
 		entry = db.get(entrykey)
+
 		XMLBuildCalEvent(calevent, entry)
 
 		self.response.headers['Content-Type'] = 'text/xml; charset=UTF-8'
diff --git a/access/remove.py b/access/remove.py
index a6bbfbe..7e6986b 100644
--- a/access/remove.py
+++ b/access/remove.py
@@ -14,6 +14,9 @@ class RemoveEvent(webapp2.RequestHandler):
 		if not guserid:
 			return
 		thiskey = db.Key(self.request.get('key'))
+		if thiskey.parent().name() != guserid.email():
+			self.response.set_status(403)
+			return
 		thisobj = db.get(thiskey)
 		thisobj.delete()
 
diff --git a/access/update.py b/access/update.py
index e80c183..85e4894 100644
--- a/access/update.py
+++ b/access/update.py
@@ -14,6 +14,12 @@ class UpdateEvent (webapp2.RequestHandler) :
 		guserid = users.get_current_user()
 		if not guserid:
 			return
+		mykey = self.request.get('key')
+		mykeyobj = db.Key(mykey)
+		if mykeyobj.parent().name() != guserid.email():
+			self.response.set_status(403)
+			return
+		
 		thisicon = int(self.request.get('icon'))
 		thistitle = self.request.get('title')
 		thiscontent = self.request.get('content')
@@ -31,7 +37,6 @@ class UpdateEvent (webapp2.RequestHandler) :
 		);
 		thisdatafrom = self.request.get('datafrom')
 		thisremind = int(self.request.get('remind'))
-		mykey = self.request.get('key')
 		
 		eventdata = db.get(mykey)
 		eventdata.icon = thisicon