From 94b62d2949c0b627bbeac4107c681ab7eccfff7d Mon Sep 17 00:00:00 2001
From: moson <moson@archlinux.org>
Date: Fri, 4 Aug 2023 14:12:50 +0200
Subject: [PATCH] fix: Check if user exists when editing account

We should check if a user (target) exists before validating permissions.
Otherwise things crash when a TU is trying to edit an account that
does not exist.

Fixes: aurweb-errors#529
Signed-off-by: moson <moson@archlinux.org>
---
 aurweb/routers/accounts.py   |  3 +++
 test/test_accounts_routes.py | 24 ++++++++++++++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/aurweb/routers/accounts.py b/aurweb/routers/accounts.py
index 010aae58..1c81ec1d 100644
--- a/aurweb/routers/accounts.py
+++ b/aurweb/routers/accounts.py
@@ -374,6 +374,9 @@ def cannot_edit(
     :param user: Target user to be edited
     :return: RedirectResponse if approval != granted else None
     """
+    # raise 404 if user does not exist
+    if not user:
+        raise HTTPException(status_code=HTTPStatus.NOT_FOUND)
     approved = request.user.can_edit_user(user)
     if not approved and (to := "/"):
         if user:
diff --git a/test/test_accounts_routes.py b/test/test_accounts_routes.py
index 3c481d0a..3ff6291a 100644
--- a/test/test_accounts_routes.py
+++ b/test/test_accounts_routes.py
@@ -764,6 +764,17 @@ def test_get_account_edit_unauthorized(client: TestClient, user: User):
     assert response.headers.get("location") == expected
 
 
+def test_get_account_edit_not_exists(client: TestClient, tu_user: User):
+    """Test that users do not have an Account Type field."""
+    cookies = {"AURSID": tu_user.login(Request(), "testPassword")}
+    endpoint = "/account/doesnotexist/edit"
+
+    with client as request:
+        request.cookies = cookies
+        response = request.get(endpoint)
+    assert response.status_code == int(HTTPStatus.NOT_FOUND)
+
+
 def test_post_account_edit(client: TestClient, user: User):
     request = Request()
     sid = user.login(request, "testPassword")
@@ -872,6 +883,19 @@ def test_post_account_edit_dev(client: TestClient, tu_user: User):
     assert expected in response.content.decode()
 
 
+def test_post_account_edit_not_exists(client: TestClient, tu_user: User):
+    request = Request()
+    sid = tu_user.login(request, "testPassword")
+
+    post_data = {"U": "test", "E": "test666@example.org", "passwd": "testPassword"}
+
+    endpoint = "/account/doesnotexist/edit"
+    with client as request:
+        request.cookies = {"AURSID": sid}
+        response = request.post(endpoint, data=post_data)
+    assert response.status_code == int(HTTPStatus.NOT_FOUND)
+
+
 def test_post_account_edit_language(client: TestClient, user: User):
     request = Request()
     sid = user.login(request, "testPassword")