From e0c432d0144eeb7ad04544bd8caaab75aae991a3 Mon Sep 17 00:00:00 2001
From: Raphael Michel <mail@raphaelmichel.de>
Date: Wed, 5 Jun 2019 16:27:21 +0200
Subject: [PATCH] [SECURITY] Do not allow to enumerate organizers

---
 src/pretix/control/views/typeahead.py | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/src/pretix/control/views/typeahead.py b/src/pretix/control/views/typeahead.py
index 65f5eff2b..2e35ab1cd 100644
--- a/src/pretix/control/views/typeahead.py
+++ b/src/pretix/control/views/typeahead.py
@@ -149,10 +149,15 @@ def nav_context_list(request):
     ]
 
     if show_user and organizer:
-        organizer = serialize_orga(Organizer.objects.get(pk=organizer))
-        if organizer in results:
-            results.remove(organizer)
-        results.insert(1, organizer)
+        try:
+            organizer = serialize_orga(Organizer.objects.get(pk=organizer))
+        except Organizer.DoesNotExist:
+            pass
+        else:
+            if request.user.has_organizer_permission(organizer, request):
+                if organizer in results:
+                    results.remove(organizer)
+                results.insert(1, organizer)
 
     doc = {
         'results': results,