Replace some 403 by 404 to avoid trigramme leaking

Fixes #224
2019-10-05 01:25:36 +02:00 · 2019-10-05 01:25:36 +02:00 · 96adadce5e
commit 96adadce5e
parent e8a9e808f5
1 changed files with 6 additions and 7 deletions
--- a/kfet/views.py
+++ b/kfet/views.py
@ -10,7 +10,6 @@ from django.contrib.auth.decorators import login_required, permission_required
 from django.contrib.auth.mixins import PermissionRequiredMixin
 from django.contrib.auth.models import Permission, User
 from django.contrib.messages.views import SuccessMessageMixin
-from django.core.exceptions import PermissionDenied
 from django.db import transaction
 from django.db.models import Count, F, Prefetch, Sum
 from django.forms import formset_factory
@ -303,7 +302,7 @@ def account_read(request, trigramme):
    if not account.readable or (
        not request.user.has_perm("kfet.is_team") and request.user != account.user
    ):
-        raise PermissionDenied
+        raise Http404

    addcosts = (
        OperationGroup.objects.filter(opes__addcost_for=account, opes__canceled_at=None)
@ -327,7 +326,7 @@ def account_update(request, trigramme):

    # Checking permissions
    if not request.user.has_perm("kfet.is_team") and request.user != account.user:
-        raise PermissionDenied
+        raise Http404

    user_info_form = UserInfoForm(instance=account.user)

@ -2226,7 +2225,7 @@ class AccountStatBalanceList(PkUrlMixin, SingleResumeStat):
    def get_object(self, *args, **kwargs):
        obj = super().get_object(*args, **kwargs)
        if self.request.user != obj.user:
-            raise PermissionDenied
+            raise Http404
        return obj

    @method_decorator(login_required)
@ -2345,7 +2344,7 @@ class AccountStatBalance(PkUrlMixin, JSONDetailView):
    def get_object(self, *args, **kwargs):
        obj = super().get_object(*args, **kwargs)
        if self.request.user != obj.user:
-            raise PermissionDenied
+            raise Http404
        return obj

    @method_decorator(login_required)
@ -2376,7 +2375,7 @@ class AccountStatOperationList(PkUrlMixin, SingleResumeStat):
    def get_object(self, *args, **kwargs):
        obj = super().get_object(*args, **kwargs)
        if self.request.user != obj.user:
-            raise PermissionDenied
+            raise Http404
        return obj

    @method_decorator(login_required)
@ -2439,7 +2438,7 @@ class AccountStatOperation(ScaleMixin, PkUrlMixin, JSONDetailView):
    def get_object(self, *args, **kwargs):
        obj = super().get_object(*args, **kwargs)
        if self.request.user != obj.user:
-            raise PermissionDenied
+            raise Http404
        return obj

    @method_decorator(login_required)