From 5990d90bc52a23c0babe7f4bbff75f4f25eafeed Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Benjamin=20H=C3=A4ttasch?=
 <benjamin.haettasch@fachschaft.informatik.tu-darmstadt.de>
Date: Sun, 7 May 2023 23:31:00 +0200
Subject: [PATCH] Check existence of POST argument

Improve robustness of views against malformed/forged requests by checking whether the owner_id POST attribute is set before accessing it.
This fixes #187
---
 AKSubmission/views.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/AKSubmission/views.py b/AKSubmission/views.py
index d62762e1..86a5a2e1 100644
--- a/AKSubmission/views.py
+++ b/AKSubmission/views.py
@@ -311,6 +311,8 @@ class AKOwnerSelectDispatchView(EventSlugMixin, View):
     """
 
     def post(self, request, *args, **kwargs):
+        if "owner_id" not in request.POST:
+            return redirect('submit:submission_overview', event_slug=kwargs['event_slug'])
         owner_id = request.POST["owner_id"]
 
         if owner_id == "-1":
@@ -345,6 +347,8 @@ class AKOwnerEditDispatchView(EventSlugMixin, View):
     """
 
     def post(self, request, *args, **kwargs):
+        if "owner_id" not in request.POST:
+            return redirect('submit:submission_overview', event_slug=kwargs['event_slug'])
         owner_id = request.POST["owner_id"]
 
         if owner_id == "-1":
-- 
GitLab