altf4arnold/datatracker
1
0
Fork 0
Code Issues Pull requests Actions6 Packages Projects Releases Wiki Activity

Added guards against instances of queryset filtering using an object without primary key.

Browse source 
- Legacy-Id: 12642
This commit is contained in:
Henrik Levkowetz 2017-01-11 15:24:27 +00:00
parent 74753b6c35
commit 8833228d62
1 changed files with 2 additions and 2 deletions

4
ietf/dbtemplate/views.py
View file

@ -12,7 +12,7 @@ from ietf.ietfauth.utils import has_role
def template_list(request, acronym):
group = get_object_or_404(Group, acronym=acronym)
chairs = group.role_set.filter(name__slug='chair')
if not has_role(request.user, "Secretariat") and not chairs.filter(person__user=request.user).count():
if not has_role(request.user, "Secretariat") and not (request.user.id and chairs.filter(person__user=request.user).count()):
return HttpResponseForbidden("You are not authorized to access this view")
template_list = DBTemplate.objects.filter(group=group)
@ -51,7 +51,7 @@ def template_show(request, acronym, template_id, base_template='dbtemplate/templ
chairs = group.role_set.filter(name__slug='chair')
extra_context = extra_context or {}
if not has_role(request.user, "Secretariat") and not chairs.filter(person__user=request.user).count():
if not has_role(request.user, "Secretariat") and not (request.user.id and chairs.filter(person__user=request.user).count()):
return HttpResponseForbidden("You are not authorized to access this view")
template = get_object_or_404(DBTemplate, id=template_id, group=group)