lingo: return a 404 in case invoice id can't be decrypted (#12669)

2016-07-27 09:09:23 +02:00 · 2016-07-27 09:09:23 +02:00 · e7e5da510d
parent 1b71d7849e
commit e7e5da510d
1 changed files with 18 additions and 4 deletions
--- a/combo/apps/lingo/views.py
+++ b/combo/apps/lingo/views.py
@ -37,7 +37,7 @@ from django.utils.encoding import smart_text

 import eopayment

-from combo.utils import check_query, aes_hex_decrypt
+from combo.utils import check_query, aes_hex_decrypt, DecryptionError

 try:
    from mellon.models import UserSAMLIdentifier
@ -470,9 +470,17 @@ class ItemDownloadView(View):
    http_method_names = [u'get']

    def get(self, request, *args, **kwargs):
-        regie = Regie.objects.get(pk=kwargs['regie_id'])
+        try:
+            regie = Regie.objects.get(pk=kwargs['regie_id'])
+        except Regie.DoesNotExist:
+            raise Http404()
+
        try:
            item_id = aes_hex_decrypt(settings.SECRET_KEY, kwargs['item_crypto_id'])
+        except DecryptionError:
+            raise Http404()
+
+        try:
            data = regie.download_item(request, item_id)
        except PermissionDenied:
            return HttpResponseForbidden()
@ -494,8 +502,14 @@ class ItemView(TemplateView):
    template_name = 'lingo/combo/item.html'

    def get_context_data(self, **kwargs):
-        regie = Regie.objects.get(pk=kwargs['regie_id'])
-        item_id = aes_hex_decrypt(settings.SECRET_KEY, kwargs['item_crypto_id'])
+        try:
+            regie = Regie.objects.get(pk=kwargs['regie_id'])
+        except Regie.DoesNotExist:
+            raise Http404()
+        try:
+            item_id = aes_hex_decrypt(settings.SECRET_KEY, kwargs['item_crypto_id'])
+        except DecryptionError:
+            raise Http404()
        item = regie.get_item(self.request, item_id)
        if not item:
            raise Http404(_('No item was found.'))