In JobAuthMixin, we can safely provided a wrong job id.

65e6eb1d · sebastien letort · af9b6351 · 65e6eb1d
Commit 65e6eb1d authored May 07, 2019 by sebastien letort
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 1 deletion

django/allgo/main/mixins.py django/allgo/main/mixins.py +5 -1

No files found.
--- a/django/allgo/main/mixins.py
+++ b/django/allgo/main/mixins.py
@@ -97,7 +97,11 @@ class JobAuthMixin(AllgoValidAccountMixin, UserPassesTestMixin):
        if user is None:
            return False
        self.raise_exception = True # to return a 403
-        job = Job.objects.filter(pk=self.kwargs['pk']).first()
+        try:
+            job = Job.objects.get(id=self.kwargs['pk'])
+        except Job.DoesNotExist:
+            return False
+
        return user.is_superuser or user == getattr(job, "user", ())

    def handle_no_permission(self):