fix case when updating and new value is None (by comparing with in-memory user info)

a0b135d5 · Romain Loth · bbf8d18d · a0b135d5 · a0b135d5
Commit a0b135d5 authored Feb 21, 2017 by Romain Loth
Hide whitespace changes
Inline Side-by-side

Showing with 51 additions and 16 deletions

db.py services/db.py +32 -12

main.py services/main.py +19 -4

No files found.
--- a/services/db.py
+++ b/services/db.py
@@ -503,12 +503,12 @@ def find_scholar(some_key, some_str_value):
    return luid


-def save_scholar(safe_recs, reg_db, uactive=True, update_luid=None):
+def save_scholar(safe_recs, reg_db, uactive=True, update_user=None):
    """
    For new registration:
      -> add to *scholars* table, return new local uid

-    For profile change (just pass previous local uid in update_luid)
+    For profile change (just pass previous local user info in update_user)
      -> *update* scholars table

    see also COLS variable and doc/table_specifications.md
@@ -519,32 +519,52 @@ def save_scholar(safe_recs, reg_db, uactive=True, update_luid=None):
    db_qstrvals = []
    actual_len_dbg = 0

-    # POSS: simplify filter no more binary values triggering previous workaround
    for colinfo in USER_COLS:
        colname = colinfo[0]
+        # NB: each val already contains no quotes because of sanitize()
+        val = safe_recs.get(colname, None)

-        if not update_luid or colname != 'luid':
+        # when updating, we keep all values that have changed, including None
+        if update_user:
+            if colname in ["luid", "email"]:
+                # these two can't be updated
+                continue
+
+            old_val = update_user[colname]
+            if val != old_val:
+                actual_len_dbg += 1
+
+                if val == None:
+                    quotedstrval = "NULL"
+                else:
+                    quotedstrval = "'"+str(val)+"'"
+
+                mlog("DEBUG",
+                     "DB update %s (was: %s)" % (quotedstrval, str(old_val)))
+
+                db_tgtcols.append(colname)
+                db_qstrvals.append(quotedstrval)

-            # NB: each val already contains no quotes because of sanitize()
-            val = safe_recs.get(colname, None)

+        # when inserting, we keep all values != None
+        else:
            if val != None:
                actual_len_dbg += 1
                quotedstrval = "'"+str(val)+"'"

                mlog("DEBUG", "DB saving" + quotedstrval)

-                # anyways
                db_tgtcols.append(colname)
                db_qstrvals.append(quotedstrval)

+
    if uactive:
        db_tgtcols.append('record_status')
        db_qstrvals.append('"active"')

    reg_db_c = reg_db.cursor()

-    if not update_luid:
+    if not update_user:
        # expected colnames "(doors_uid, last_modified_date, email, ...)"
        db_tgtcols_str = ','.join(db_tgtcols)

@@ -562,16 +582,16 @@ def save_scholar(safe_recs, reg_db, uactive=True, update_luid=None):
        # UPDATE: full_statement with formated values
        full_statmt = 'UPDATE scholars SET %s WHERE luid = "%s"' % (
                            set_full_str,
-                            update_luid
+                            update_user['luid']
        )

-    mlog("DEBUG", "UPDATE" if update_luid else "INSERT",  "SQL statement:", full_statmt)
+    mlog("DEBUG", "UPDATE" if update_user else "INSERT",  "SQL statement:", full_statmt)

    reg_db_c.execute(full_statmt)
-    if not update_luid:
+    if not update_user:
        luid = reg_db_c.lastrowid
    else:
-        luid = update_luid
+        luid = update_user['luid']
    reg_db.commit()
    return luid


--- a/services/main.py
+++ b/services/main.py
@@ -140,6 +140,7 @@ def inject_doors_params():
        context_dict = dict(
            doors_connect= config['DOORS_HOST']
        )
+
    return context_dict

 @login_manager.unauthorized_handler
@@ -494,7 +495,9 @@ def profile():
            # normal action UPDATE
            else:
                try:
-                    luid = save_form(our_records, update_flag = True)
+                    luid = save_form(our_records,
+                                     update_flag = True,
+                                     previous_user_info = current_user.info)

                except Exception as perr:
                    return render_template(
@@ -644,9 +647,16 @@ def register():


 ########### SUBS ###########
-def save_form(clean_records, update_flag=False):
+def save_form(clean_records, update_flag=False, previous_user_info=None):
    """
    wrapper function for save profile/register (all DB-related form actions)
+
+    @args :
+        *clean_records*   a dict of sanitized form fields
+
+        optional (together):
+            update_flag            we update in DB instead of INSERT
+            previous_user_info     iff update_flag, like current_user.info
    """

    # A) a new DB connection
@@ -663,8 +673,13 @@ def save_form(clean_records, update_flag=False):
        # TODO class User method !!
    luid = None
    if update_flag:
-        luid = int(clean_records['luid'])
-        db.save_scholar(clean_records, reg_db, update_luid=luid)
+        luid = int(previous_user_info['luid'])
+        sent_luid = int(clean_records['luid'])
+        if luid != sent_luid:
+            mlog("WARNING", "User %i attempted to modify the data of another user (%i)!... Aborting update" % (luid, sent_luid))
+            return None
+        else:
+            db.save_scholar(clean_records, reg_db, update_user=previous_user_info)
    else:
        luid = int(db.save_scholar(clean_records, reg_db))