From 10333511d74866208f21795b8ed58584e7b647ae Mon Sep 17 00:00:00 2001
From: Amit Upreti <a.u.aua937@gmail.com>
Date: Fri, 24 Feb 2023 11:04:38 -0500
Subject: [PATCH 1/2] limit edit event to the event host(Instructor) who
 created the event

Although, we dont allow other Instructor to edit someone else's event from the User Interface,
There is a chance that some one can simulate a post request and edit someone else's event(As we were not verifying that the requester is the event host(Instructor) who created the event)
---
 physionet-django/events/views.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/physionet-django/events/views.py b/physionet-django/events/views.py
index 32b97e013e..5ff606ae7e 100644
--- a/physionet-django/events/views.py
+++ b/physionet-django/events/views.py
@@ -21,7 +21,7 @@ def update_event(request, event_slug, **kwargs):
     if request.method == 'POST':
         event = Event.objects.get(slug=event_slug)
         event_form = AddEventForm(user=user, data=request.POST, instance=event)
-        if event_form.is_valid() and can_change_event:
+        if event_form.is_valid() and can_change_event and event.host == user:
             event_form.save()
             messages.success(request, "Updated Event Successfully")
         else:

From b9c57e52365bb9d35becc7245b48d7f8ea0c0ef9 Mon Sep 17 00:00:00 2001
From: Amit Upreti <a.u.aua937@gmail.com>
Date: Fri, 24 Feb 2023 11:25:56 -0500
Subject: [PATCH 2/2] Improve error messages

Earlier, we were not showing relevant error messages to the users in case
where they did not have permission to edit an event.
This commit nests the if condition to show appropriate error message to the user
---
 physionet-django/events/views.py | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/physionet-django/events/views.py b/physionet-django/events/views.py
index 5ff606ae7e..28ec0cb561 100644
--- a/physionet-django/events/views.py
+++ b/physionet-django/events/views.py
@@ -21,9 +21,12 @@ def update_event(request, event_slug, **kwargs):
     if request.method == 'POST':
         event = Event.objects.get(slug=event_slug)
         event_form = AddEventForm(user=user, data=request.POST, instance=event)
-        if event_form.is_valid() and can_change_event and event.host == user:
-            event_form.save()
-            messages.success(request, "Updated Event Successfully")
+        if event_form.is_valid():
+            if can_change_event and event.host == user:
+                event_form.save()
+                messages.success(request, "Updated Event Successfully")
+            else:
+                messages.error(request, "You don't have permission to edit this event")
         else:
             messages.error(request, event_form.errors)
     else: