Update the delete item to use the _id after all... it's the safest way.

See http://bugs.foocorp.net/issues/695
author: Christopher Allan Webber <cwebber@dustycloud.org> 2011-12-05 08:35:42 -0600
committer: Christopher Allan Webber <cwebber@dustycloud.org> 2011-12-05 08:35:42 -0600
commit: bcc9ee3205dfc6bc2b5e5dacb09de89121eb3782 (patch)
tree: fd6b84e850f20fe0b4ef76ae2d2050c0143f934d /mediagoblin/decorators.py
parent: 38f102515a84c1da25a9dab56d2fe7731412f4f5 (diff)
download: mediagoblin-bcc9ee3205dfc6bc2b5e5dacb09de89121eb3782.tar.lz
mediagoblin-bcc9ee3205dfc6bc2b5e5dacb09de89121eb3782.tar.xz
mediagoblin-bcc9ee3205dfc6bc2b5e5dacb09de89121eb3782.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/mediagoblin/decorators.py b/mediagoblin/decorators.py
index 56dddb44..269b0c2e 100644
--- a/mediagoblin/decorators.py
+++ b/mediagoblin/decorators.py
@@ -58,7 +58,7 @@ def user_may_delete_media(controller):
     """
     def wrapper(request, *args, **kwargs):
         uploader = request.db.MediaEntry.find_one(
-            {'slug': request.matchdict['media']}).get_uploader()
+            {'_id': ObjectId(request.matchdict['media'])}).get_uploader()
         if not (request.user['is_admin'] or
                 request.user._id == uploader._id):
             return exc.HTTPForbidden()
author	Christopher Allan Webber <cwebber@dustycloud.org>	2011-12-05 08:35:42 -0600
committer	Christopher Allan Webber <cwebber@dustycloud.org>	2011-12-05 08:35:42 -0600
commit	bcc9ee3205dfc6bc2b5e5dacb09de89121eb3782 (patch)
tree	fd6b84e850f20fe0b4ef76ae2d2050c0143f934d /mediagoblin/decorators.py
parent	38f102515a84c1da25a9dab56d2fe7731412f4f5 (diff)
download	mediagoblin-bcc9ee3205dfc6bc2b5e5dacb09de89121eb3782.tar.lz mediagoblin-bcc9ee3205dfc6bc2b5e5dacb09de89121eb3782.tar.xz mediagoblin-bcc9ee3205dfc6bc2b5e5dacb09de89121eb3782.zip