From 3a4a1b7357ec7a4de6400b04dea2bf0082e20437 Mon Sep 17 00:00:00 2001
From: 0livd <0livd@users.noreply.github.com>
Date: Wed, 6 Sep 2017 18:49:15 +0200
Subject: [PATCH] Fixed exposed password in session

The project password was set in clear text
in the session cookie. The cookie payload is
only base64 encoded so it must not be used to
store private information. The password is
simply replaced by a boolean.
---
 ihatemoney/tests/tests.py |  4 ++--
 ihatemoney/web.py         | 12 ++++++------
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/ihatemoney/tests/tests.py b/ihatemoney/tests/tests.py
index 36ca6fc2..6c0ccb9f 100644
--- a/ihatemoney/tests/tests.py
+++ b/ihatemoney/tests/tests.py
@@ -181,7 +181,7 @@ class BudgetTestCase(IhatemoneyTestCase):
             })
 
             # session is updated
-            self.assertEqual(session['raclette'], 'party')
+            self.assertTrue(session['raclette'])
 
             # project is created
             self.assertEqual(len(models.Project.query.all()), 1)
@@ -373,7 +373,7 @@ class BudgetTestCase(IhatemoneyTestCase):
 
             self.assertNotIn("Authentication", resp.data.decode('utf-8'))
             self.assertIn('raclette', session)
-            self.assertEqual(session['raclette'], 'raclette')
+            self.assertTrue(session['raclette'])
 
             # logout should wipe the session out
             c.get("/exit")
diff --git a/ihatemoney/web.py b/ihatemoney/web.py
index 753fe42d..181ac731 100644
--- a/ihatemoney/web.py
+++ b/ihatemoney/web.py
@@ -105,7 +105,7 @@ def pull_project(endpoint, values):
                                       project_id=project_id))
 
         is_admin = session.get('is_admin')
-        if (project.id in session and session[project.id] == project.password) or is_admin:
+        if session.get(project.id) or is_admin:
             # add project into kwargs and call the original function
             g.project = project
         else:
@@ -173,7 +173,7 @@ def authenticate(project_id=None):
 
     else:
         # if credentials are already in session, redirect
-        if project_id in session and project.password == session[project_id]:
+        if session.get(project_id):
             setattr(g, 'project', project)
             return redirect(url_for(".list_bills"))
 
@@ -189,7 +189,7 @@ def authenticate(project_id=None):
                         session["projects"] = []
                     # add the project on the top of the list
                     session["projects"].insert(0, (project_id, project.name))
-                    session[project_id] = form.password.data
+                    session[project_id] = True
                     session.update()
                     setattr(g, 'project', project)
                     return redirect(url_for(".list_bills"))
@@ -233,7 +233,7 @@ def create_project():
             db.session.commit()
 
             # create the session object (authenticate)
-            session[project.id] = project.password
+            session[project.id] = True
             session.update()
 
             # send reminder email
@@ -290,8 +290,8 @@ def edit_project():
     if request.method == "POST":
         if edit_form.validate():
             project = edit_form.update(g.project)
+            db.session.add(project)
             db.session.commit()
-            session[project.id] = project.password
 
             return redirect(url_for(".list_bills"))
 
@@ -359,7 +359,7 @@ def demo():
                           contact_email="demo@notmyidea.org")
         db.session.add(project)
         db.session.commit()
-    session[project.id] = project.password
+    session[project.id] = True
     return redirect(url_for(".list_bills", project_id=project.id))