almet/ihatemoney
1
0
Fork 0
mirror of https://github.com/spiral-project/ihatemoney.git synced 2025-04-30 18:22:38 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix crash when trying to get a member from the wrong project

Browse source 
This was hidden by the CVE-2020-15120 issue: now that we no longer return
members from the wrong project, we need to handle the case where there is
nothing to return.
This commit is contained in:
Baptiste Jonglez 2020-07-17 17:43:33 +02:00 committed by zorun
parent 8d77cf5d56
commit 7fd1828888
1 changed files with 4 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
ihatemoney/models.py
View file

@ -273,9 +273,8 @@ class Project(db.Model):
This method returns the status DELETED or DEACTIVATED regarding the This method returns the status DELETED or DEACTIVATED regarding the
changes made. changes made.
""" """
try:
person = Person.query.get(member_id, self) person = Person.query.get(member_id, self)
except orm.exc.NoResultFound: if person is None:
return None return None
if not person.has_bills(): if not person.has_bills():
db.session.delete(person) db.session.delete(person)
@ -381,7 +380,7 @@ class Person(db.Model):
return ( return (
Person.query.filter(Person.name == name) Person.query.filter(Person.name == name)
.filter(Person.project_id == project.id) .filter(Person.project_id == project.id)
.one() .one_or_none()
) )
def get(self, id, project=None): def get(self, id, project=None):
@ -390,7 +389,7 @@ class Person(db.Model):
return ( return (
Person.query.filter(Person.id == id) Person.query.filter(Person.id == id)
.filter(Person.project_id == project.id) .filter(Person.project_id == project.id)
.one() .one_or_none()
) )
query_class = PersonQuery query_class = PersonQuery