diff options
| author | Baptiste Jonglez <git@bitsofnetworks.org> | 2020-07-17 17:43:33 +0200 |
|---|---|---|
| committer | zorun <github@bitsofnetworks.org> | 2020-07-26 19:21:16 +0200 |
| commit | 7fd18288888b7cc913382da2f3d1020815d74cdf (patch) | |
| tree | 2b6b0bc0efd5090d7ec94a1e17bc0ff6b6ce1487 /ihatemoney | |
| parent | 8d77cf5d5646e1d2d8ded13f0660638f57e98471 (diff) | |
| download | ihatemoney-mirror-7fd18288888b7cc913382da2f3d1020815d74cdf.zip ihatemoney-mirror-7fd18288888b7cc913382da2f3d1020815d74cdf.tar.gz ihatemoney-mirror-7fd18288888b7cc913382da2f3d1020815d74cdf.tar.bz2 | |
Fix crash when trying to get a member from the wrong project
This was hidden by the CVE-2020-15120 issue: now that we no longer return
members from the wrong project, we need to handle the case where there is
nothing to return.
Diffstat (limited to 'ihatemoney')
| -rw-r--r-- | ihatemoney/models.py | 9 |
1 files changed, 4 insertions, 5 deletions
diff --git a/ihatemoney/models.py b/ihatemoney/models.py index 5691c75..8dc9b55 100644 --- a/ihatemoney/models.py +++ b/ihatemoney/models.py @@ -273,9 +273,8 @@ class Project(db.Model): This method returns the status DELETED or DEACTIVATED regarding the changes made. """ - try: - person = Person.query.get(member_id, self) - except orm.exc.NoResultFound: + person = Person.query.get(member_id, self) + if person is None: return None if not person.has_bills(): db.session.delete(person) @@ -381,7 +380,7 @@ class Person(db.Model): return ( Person.query.filter(Person.name == name) .filter(Person.project_id == project.id) - .one() + .one_or_none() ) def get(self, id, project=None): @@ -390,7 +389,7 @@ class Person(db.Model): return ( Person.query.filter(Person.id == id) .filter(Person.project_id == project.id) - .one() + .one_or_none() ) query_class = PersonQuery |