almet/ihatemoney
1
0
Fork 0
mirror of https://github.com/spiral-project/ihatemoney.git synced 2025-04-29 09:52:36 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix crash when trying to get a member from the wrong project

Browse source 
This was hidden by the CVE-2020-15120 issue: now that we no longer return
members from the wrong project, we need to handle the case where there is
nothing to return.

(cherry picked from commit 7fd1828888)
This commit is contained in:
Baptiste Jonglez 2020-07-17 17:43:33 +02:00 committed by zorun
parent 9aef13b50c
commit 6460231ff6
1 changed files with 4 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
ihatemoney/models.py
View file

@ -218,9 +218,8 @@ class Project(db.Model):
This method returns the status DELETED or DEACTIVATED regarding the
changes made.
"""
try:
person = Person.query.get(member_id, self)
except orm.exc.NoResultFound:
if person is None:
return None
if not person.has_bills():
db.session.delete(person)
@ -278,13 +277,13 @@ class Person(db.Model):
def get_by_name(self, name, project):
return Person.query.filter(Person.name == name)\
.filter(Person.project_id == project.id).one()
.filter(Person.project_id == project.id).one_or_none()
def get(self, id, project=None):
if not project:
project = g.project
return Person.query.filter(Person.id == id)\
.filter(Person.project_id == project.id).one()
.filter(Person.project_id == project.id).one_or_none()
query_class = PersonQuery