id	summary	reporter	owner	description	type	status	priority	milestone	component	resolution	keywords	cc	parents
280	One can post comments for non existent media	Elrond	Christopher Allan Webber	"{{{
#!rst
media\_post\_comment blindly takes the media id from
matchdict['media'], which is just filled in from the POST URL. So
by faking up a POST URL one can add comments for non existent
media.

I *think* a simple ``get_user_media_entry`` decorator and a little
rewriting should do the trick.

Priority High: This can be used to fill the db with invisible
cruft!
Estimated Time 1.5 h: The code change is done in 10 minutes, but
testing it requires to either write test code or fiddle with yuor
browser



}}}"	defect	closed	major	0.1.0	programming	FIXED