Merge pull request #11 from jgiannuzzi/fix-unauthorized-uploads

[fix] Prevent users from uploading new versions of packages they do not own

Author: mosquito

pypi_server/handlers/pypi/package.py

@@ -282,6 +282,10 @@ def action_file_upload(self):
                 raise HTTPError(404)
 
             package = Package.get(lower_name=package_name)
+
+            if package.owner != self.current_user and not self.current_user.is_admin:
+                raise HTTPError(403)
+
             version = package.create_version(self.get_body_argument('version'))
 
             uploaded_file = self.request.files['content'][0]