From 8833228d62f8b5be96a611a108a8c8465ffec2ad Mon Sep 17 00:00:00 2001
From: Henrik Levkowetz <henrik@levkowetz.com>
Date: Wed, 11 Jan 2017 15:24:27 +0000
Subject: [PATCH] Added guards against instances of queryset filtering using an
 object without primary key.  - Legacy-Id: 12642

---
 ietf/dbtemplate/views.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ietf/dbtemplate/views.py b/ietf/dbtemplate/views.py
index 1e55fc11d..cb24300c3 100644
--- a/ietf/dbtemplate/views.py
+++ b/ietf/dbtemplate/views.py
@@ -12,7 +12,7 @@ from ietf.ietfauth.utils import has_role
 def template_list(request, acronym):
     group = get_object_or_404(Group, acronym=acronym)
     chairs = group.role_set.filter(name__slug='chair')
-    if not has_role(request.user, "Secretariat") and not chairs.filter(person__user=request.user).count():
+    if not has_role(request.user, "Secretariat") and not (request.user.id and chairs.filter(person__user=request.user).count()):
         return HttpResponseForbidden("You are not authorized to access this view")
 
     template_list = DBTemplate.objects.filter(group=group)
@@ -51,7 +51,7 @@ def template_show(request, acronym, template_id, base_template='dbtemplate/templ
     chairs = group.role_set.filter(name__slug='chair')
     extra_context = extra_context or {}
 
-    if not has_role(request.user, "Secretariat") and not chairs.filter(person__user=request.user).count():
+    if not has_role(request.user, "Secretariat") and not (request.user.id and chairs.filter(person__user=request.user).count()):
         return HttpResponseForbidden("You are not authorized to access this view")
 
     template = get_object_or_404(DBTemplate, id=template_id, group=group)