external/aurweb
0
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/aurweb.git synced 2025-02-03 10:43:03 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix: Check if user exists when editing account

Browse source 
We should check if a user (target) exists before validating permissions.
Otherwise things crash when a TU is trying to edit an account that
does not exist.

Fixes: aurweb-errors#529
Signed-off-by: moson <moson@archlinux.org>
This commit is contained in:
moson 2023-08-04 14:12:50 +02:00
parent 7a44f37968
commit 94b62d2949
No known key found for this signature in database
GPG key ID: 4A4760AB4EE15296
2 changed files with 27 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
aurweb/routers/accounts.py
View file

@ -374,6 +374,9 @@ def cannot_edit(
:param user: Target user to be edited :param user: Target user to be edited
:return: RedirectResponse if approval != granted else None :return: RedirectResponse if approval != granted else None
""" """
# raise 404 if user does not exist
if not user:
raise HTTPException(status_code=HTTPStatus.NOT_FOUND)
approved = request.user.can_edit_user(user) approved = request.user.can_edit_user(user)
if not approved and (to := "/"): if not approved and (to := "/"):
if user: if user:

24
test/test_accounts_routes.py
View file

@ -764,6 +764,17 @@ def test_get_account_edit_unauthorized(client: TestClient, user: User):
assert response.headers.get("location") == expected assert response.headers.get("location") == expected
def test_get_account_edit_not_exists(client: TestClient, tu_user: User):
"""Test that users do not have an Account Type field."""
cookies = {"AURSID": tu_user.login(Request(), "testPassword")}
endpoint = "/account/doesnotexist/edit"
with client as request:
request.cookies = cookies
response = request.get(endpoint)
assert response.status_code == int(HTTPStatus.NOT_FOUND)
def test_post_account_edit(client: TestClient, user: User): def test_post_account_edit(client: TestClient, user: User):
request = Request() request = Request()
sid = user.login(request, "testPassword") sid = user.login(request, "testPassword")
@ -872,6 +883,19 @@ def test_post_account_edit_dev(client: TestClient, tu_user: User):
assert expected in response.content.decode() assert expected in response.content.decode()
def test_post_account_edit_not_exists(client: TestClient, tu_user: User):
request = Request()
sid = tu_user.login(request, "testPassword")
post_data = {"U": "test", "E": "test666@example.org", "passwd": "testPassword"}
endpoint = "/account/doesnotexist/edit"
with client as request:
request.cookies = {"AURSID": sid}
response = request.post(endpoint, data=post_data)
assert response.status_code == int(HTTPStatus.NOT_FOUND)
def test_post_account_edit_language(client: TestClient, user: User): def test_post_account_edit_language(client: TestClient, user: User):
request = Request() request = Request()
sid = user.login(request, "testPassword") sid = user.login(request, "testPassword")