fix(controller): disallow unauthorized users from rolling back releases

Matthew Fisher · Matthew Fisher · commit a130937c45f3 · 2015-01-06T10:30:18.000-08:00
Because we did not check the user's permissions inside the view, a user
who did not have authorization could roll back an application's release
version.
diff --git a/controller/api/views.py b/controller/api/views.py
@@ -368,6 +368,7 @@ def rollback(self, request, *args, **kwargs):
         """
         try:
             app = get_object_or_404(models.App, id=self.kwargs['id'])
+            self.check_object_permissions(self.request, app)
             release = app.release_set.latest()
             version_to_rollback_to = release.version - 1
             if request.DATA.get('version'):
