Only the owner of a rating should be able to update it (bug 936540)

2013-11-12 15:34:21 +01:00 · 2013-11-12 15:34:21 +01:00 · b4af597677
--- a/mkt/ratings/resources.py
+++ b/mkt/ratings/resources.py
@ -175,6 +175,12 @@ class RatingResource(CORSResource, MarketplaceModelResource):
        Handle PUT requests to the resource. If authorized and the data
        validates, update the indicated resource with bundle data.
        """
+        obj = self.get_by_resource_or_404(request, **kwargs)
+        if not OwnerAuthorization().is_authorized(request, object=obj):
+            raise http_error(
+                http.HttpForbidden,
+                'You do not have permission to update this review.')
+
        form = ReviewForm(bundle.data)
        if not form.is_valid():
            raise self.form_errors(form)
--- a/mkt/ratings/tests/test_resources.py
+++ b/mkt/ratings/tests/test_resources.py
@ -337,6 +337,12 @@ class TestRatingResource(BaseOAuth, AMOPaths):
        res, data = self._update({'app': -1})
        eq_(res.status_code, 400)

+    def test_update_comment_not_mine(self):
+        r = Review.objects.create(addon=self.app, user=self.user2, body='yes')
+        res = self.client.put(get_url('rating', r.pk),
+                              json.dumps({'body': 'no', 'rating': 1}))
+        eq_(res.status_code, 403)
+
    def test_delete_app_mine(self):
        AddonUser.objects.filter(addon=self.app).update(user=self.user)
        user2 = UserProfile.objects.get(pk=31337)