update CHANGES, fix typo in comment

2014-09-12 21:11:55 +02:00 · 2014-09-12 21:11:55 +02:00 · 3da3d82eb4
commit 3da3d82eb4
parent 6fc1f64698
2 changed files with 2 additions and 1 deletions
--- a/CHANGES.rst
+++ b/CHANGES.rst
@ -21,6 +21,7 @@ New Features:

 Fixes:

+* fix security issue: abuse_blocked flag could be worked around by abuser
 * refactored internal api so host/zone boundary is not lost and does not need
  to be discovered (we KNOW it) - fixes issues #122 and #138.
 * fixed tests so they behave on travis-ci
--- a/nsupdate/main/views.py
+++ b/nsupdate/main/views.py
@ -281,7 +281,7 @@ class DeleteHostView(DeleteView):
        obj = super(DeleteHostView, self).get_object(*args, **kwargs)
        if (obj.created_by != self.request.user or obj.abuse_blocked):
            # disallow deletion if abuse_blocked is set, otherwise the
-            # abuser can just delete and recreate the host)
+            # abuser can just delete and recreate the host
            raise PermissionDenied()  # or Http404
        return obj