CGM_Public/pretix_cgo
1
0
Fork 0
forked from CGM_Public/pretix_original
Code Pull Requests Actions Activity

[SECURITY] Do not allow to enumerate organizers

Browse Source
This commit is contained in:
Raphael Michel
2019-06-05 16:27:21 +02:00
parent b66a35df7a
commit e0c432d014
1 changed files with 9 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
src/pretix/control/views/typeahead.py
View File

@@ -149,10 +149,15 @@ def nav_context_list(request):
]
if show_user and organizer:
organizer = serialize_orga(Organizer.objects.get(pk=organizer))
if organizer in results:
results.remove(organizer)
results.insert(1, organizer)
try:
organizer = serialize_orga(Organizer.objects.get(pk=organizer))
except Organizer.DoesNotExist:
pass
else:
if request.user.has_organizer_permission(organizer, request):
if organizer in results:
results.remove(organizer)
results.insert(1, organizer)
doc = {
'results': results,