From 3da3d82eb4561485633ef577b360b354f4dffb71 Mon Sep 17 00:00:00 2001
From: Thomas Waldmann <tw@waldmann-edv.de>
Date: Fri, 12 Sep 2014 21:11:55 +0200
Subject: [PATCH] update CHANGES, fix typo in comment

---
 CHANGES.rst            | 1 +
 nsupdate/main/views.py | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGES.rst b/CHANGES.rst
index bc3cd27..c2ae53f 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -21,6 +21,7 @@ New Features:
 
 Fixes:
 
+* fix security issue: abuse_blocked flag could be worked around by abuser
 * refactored internal api so host/zone boundary is not lost and does not need
   to be discovered (we KNOW it) - fixes issues #122 and #138.
 * fixed tests so they behave on travis-ci
diff --git a/nsupdate/main/views.py b/nsupdate/main/views.py
index 6e5d404..06c1b42 100644
--- a/nsupdate/main/views.py
+++ b/nsupdate/main/views.py
@@ -281,7 +281,7 @@ class DeleteHostView(DeleteView):
         obj = super(DeleteHostView, self).get_object(*args, **kwargs)
         if (obj.created_by != self.request.user or obj.abuse_blocked):
             # disallow deletion if abuse_blocked is set, otherwise the
-            # abuser can just delete and recreate the host)
+            # abuser can just delete and recreate the host
             raise PermissionDenied()  # or Http404
         return obj