From 6460231ff62d946b5dcc2b2a4e4ef4e9e47fa8d4 Mon Sep 17 00:00:00 2001
From: Baptiste Jonglez <git@bitsofnetworks.org>
Date: Fri, 17 Jul 2020 17:43:33 +0200
Subject: [PATCH] Fix crash when trying to get a member from the wrong project

This was hidden by the CVE-2020-15120 issue: now that we no longer return
members from the wrong project, we need to handle the case where there is
nothing to return.

(cherry picked from commit 7fd18288888b7cc913382da2f3d1020815d74cdf)
---
 ihatemoney/models.py | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/ihatemoney/models.py b/ihatemoney/models.py
index 0d471933..39c98920 100644
--- a/ihatemoney/models.py
+++ b/ihatemoney/models.py
@@ -218,9 +218,8 @@ class Project(db.Model):
         This method returns the status DELETED or DEACTIVATED regarding the
         changes made.
         """
-        try:
-            person = Person.query.get(member_id, self)
-        except orm.exc.NoResultFound:
+        person = Person.query.get(member_id, self)
+        if person is None:
             return None
         if not person.has_bills():
             db.session.delete(person)
@@ -278,13 +277,13 @@ class Person(db.Model):
 
         def get_by_name(self, name, project):
             return Person.query.filter(Person.name == name)\
-                .filter(Person.project_id == project.id).one()
+                .filter(Person.project_id == project.id).one_or_none()
 
         def get(self, id, project=None):
             if not project:
                 project = g.project
             return Person.query.filter(Person.id == id)\
-                .filter(Person.project_id == project.id).one()
+                .filter(Person.project_id == project.id).one_or_none()
 
     query_class = PersonQuery