Add permission check for job deletion.

app/jobs/views.py

@@ -20,10 +20,11 @@ def job(job_id):
 @jobs.route('/<int:job_id>/delete')
 @login_required
 def delete_job(job_id):
-    delete_thread = threading.Thread(
-        target=background_delete_job,
-        args=(current_app._get_current_object(), job_id)
-    )
+    job = Job.query.get_or_404(job_id)
+    if not (job.creator == current_user or current_user.is_administrator()):
+        abort(403)
+    delete_thread = threading.Thread(target=background_delete_job,
+                                     args=(current_app, job_id))
     delete_thread.start()
     flash('Job has been deleted!')
     return redirect(url_for('main.dashboard'))