Fix security issue in checkout shipping address view

A user is able to select another user's address for shipping to.  Bad.

oscar/apps/checkout/views.py

     automatically converted into a SHIPPING address when the user checks out.
 
     Alternatively, the user can enter a SHIPPING address directly which will be
-    saved in the session and saved as a model when the order is sucessfully submitted.
+    saved in the session and later saved as ShippingAddress model when the order
+    is sucessfully submitted.
     """
-
     template_name = 'checkout/shipping_address.html'
     form_class = ShippingAddressForm
 
 
     def post(self, request, *args, **kwargs):
         # Check if a shipping address was selected directly (eg no form was filled in)
-        if self.request.user.is_authenticated and 'address_id' in self.request.POST:
-            address = UserAddress._default_manager.get(pk=self.request.POST['address_id'])
-            if 'action' in self.request.POST and self.request.POST['action'] == 'ship_to':
+        if self.request.user.is_authenticated() and 'address_id' in self.request.POST:
+            address = UserAddress._default_manager.get(pk=self.request.POST['address_id'],
+                                                       user=self.request.user)
+            action = self.request.POST.get('action', None)
+            if action == 'ship_to':
                 # User has selected a previous address to ship to
                 self.checkout_session.ship_to_user_address(address)
                 return HttpResponseRedirect(self.get_success_url())
-            elif 'action' in self.request.POST and self.request.POST['action'] == 'delete':
+            elif action == 'delete':
+                # Delete the selected address
                 address.delete()
                 messages.info(self.request, _("Address deleted from your address book"))
                 return HttpResponseRedirect(reverse('checkout:shipping-method'))