Check existence of POST argument

Improve robustness of views against malformed/forged requests by checking whether the owner_id POST attribute is set before accessing it. This fixes #187

Check existence of POST argument
70589016 · Benjamin Hättasch · 3a18dcd1 · 70589016
Commit 70589016 authored 2 years ago by Benjamin Hättasch
--- a/AKSubmission/views.py
+++ b/AKSubmission/views.py
@@ -311,6 +311,8 @@ class AKOwnerSelectDispatchView(EventSlugMixin, View):
    """

    def post(self, request, *args, **kwargs):
+        if "owner_id" not in request.POST:
+            return redirect('submit:submission_overview', event_slug=kwargs['event_slug'])
        owner_id = request.POST["owner_id"]

        if owner_id == "-1":
@@ -345,6 +347,8 @@ class AKOwnerEditDispatchView(EventSlugMixin, View):
    """

    def post(self, request, *args, **kwargs):
+        if "owner_id" not in request.POST:
+            return redirect('submit:submission_overview', event_slug=kwargs['event_slug'])
        owner_id = request.POST["owner_id"]

        if owner_id == "-1":