This was hidden by the CVE-2020-15120 issue: now that we no longer return
members from the wrong project, we need to handle the case where there is
nothing to return.
(cherry picked from commit 7fd1828888)
An authenticated member of one project can modify and delete members of
another project, without knowledge of this other project's private
code. This can be further exploited to access all bills of another project
without knowledge of this other project's private code.
With the default configuration, anybody is allowed to create a new
project. An attacker can create a new project and then use it to become
authenticated and exploit this flaw. As such, the exposure is similar to
an unauthenticated attack, because it is trivial to become authenticated.
This issue was caused by a wrong database queries in PersonQuery.
For more details, see https://github.com/spiral-project/ihatemoney/security/advisories/GHSA-67j9-c52g-w2q9
(cherry picked from commit 8d77cf5d56)
This removes strings that are not used in this stable branch.
This is done with:
pybabel update --ignore-obsolete -i ihatemoney/messages.pot -d ihatemoney/translations/
Fixes b4f51867b6 ("Fix crash when a localized email template is missing (#592)")
Fixes 38aae77d33 ("Improve error handling when sending emails")
Fixes 77f50e9137 ("Add new tests to check for email failures")
When updating I Hate Money from python2 to python3, any leftover cookie
set from python2 causes the python3 version to crash when reading the
cookie back.
This is a bug/omission in Flask-WTF: https://github.com/lepture/flask-wtf/issues/275
It was fixed in 0.14.3 with: eff54eca0d
Since we have only three places that call send_email() and already several
special cases, it's simpler to just check the return value and flash
messages within the calling code.
No user of post_project() was using its return value, so it was not useful
to follow redirections up to now.
However, for new and future usages of post_project(), it's clearer to
follow redirections by default. Tests can still disable redirects if they
need to test something special.
In one case, we were not catching socket-related exceptions , and in the
two other cases there was no error handling at all. Sending emails can
easily fail if no email server is configured, so it is really necessary to
handle these errors instead of crashing with a HTTP 500 error.
Refactor email sending code and add proper error handling.
Show alert messages that tell the user if an email was sent or if there
was an error.
When sending a password reminder email or inviting people by email, don't
proceed to the next step in case of error, because sending emails is the
whole point of these actions.
Werkzeug 1.0.0 changed some imports, and this breaks the version of
Flask-Babel we use. It's been fixed since then, but better keep it safe
by pinning a slightly older version of Werkzeug.
