From 96adadce5e5c5d10b9a55269af0ca7c3bcc86440 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Martin=20P=C3=A9pin?= <kerl@wkerl.me>
Date: Sat, 5 Oct 2019 01:25:36 +0200
Subject: [PATCH] Replace some 403 by 404 to avoid trigramme leaking

Fixes #224
---
 kfet/views.py | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/kfet/views.py b/kfet/views.py
index 4c8c6f47..dde4f24e 100644
--- a/kfet/views.py
+++ b/kfet/views.py
@@ -10,7 +10,6 @@ from django.contrib.auth.decorators import login_required, permission_required
 from django.contrib.auth.mixins import PermissionRequiredMixin
 from django.contrib.auth.models import Permission, User
 from django.contrib.messages.views import SuccessMessageMixin
-from django.core.exceptions import PermissionDenied
 from django.db import transaction
 from django.db.models import Count, F, Prefetch, Sum
 from django.forms import formset_factory
@@ -303,7 +302,7 @@ def account_read(request, trigramme):
     if not account.readable or (
         not request.user.has_perm("kfet.is_team") and request.user != account.user
     ):
-        raise PermissionDenied
+        raise Http404
 
     addcosts = (
         OperationGroup.objects.filter(opes__addcost_for=account, opes__canceled_at=None)
@@ -327,7 +326,7 @@ def account_update(request, trigramme):
 
     # Checking permissions
     if not request.user.has_perm("kfet.is_team") and request.user != account.user:
-        raise PermissionDenied
+        raise Http404
 
     user_info_form = UserInfoForm(instance=account.user)
 
@@ -2226,7 +2225,7 @@ class AccountStatBalanceList(PkUrlMixin, SingleResumeStat):
     def get_object(self, *args, **kwargs):
         obj = super().get_object(*args, **kwargs)
         if self.request.user != obj.user:
-            raise PermissionDenied
+            raise Http404
         return obj
 
     @method_decorator(login_required)
@@ -2345,7 +2344,7 @@ class AccountStatBalance(PkUrlMixin, JSONDetailView):
     def get_object(self, *args, **kwargs):
         obj = super().get_object(*args, **kwargs)
         if self.request.user != obj.user:
-            raise PermissionDenied
+            raise Http404
         return obj
 
     @method_decorator(login_required)
@@ -2376,7 +2375,7 @@ class AccountStatOperationList(PkUrlMixin, SingleResumeStat):
     def get_object(self, *args, **kwargs):
         obj = super().get_object(*args, **kwargs)
         if self.request.user != obj.user:
-            raise PermissionDenied
+            raise Http404
         return obj
 
     @method_decorator(login_required)
@@ -2439,7 +2438,7 @@ class AccountStatOperation(ScaleMixin, PkUrlMixin, JSONDetailView):
     def get_object(self, *args, **kwargs):
         obj = super().get_object(*args, **kwargs)
         if self.request.user != obj.user:
-            raise PermissionDenied
+            raise Http404
         return obj
 
     @method_decorator(login_required)