Commit c042a84e authored by Łukasz Nowak's avatar Łukasz Nowak

Avoid system misconfiguration exposure.

If API has been called with loggable user, but without Person document (which
shall never happen!) just log this information and return server side error.
parent 663a0272
...@@ -95,8 +95,14 @@ class InstancePublisher(GenericPublisher): ...@@ -95,8 +95,14 @@ class InstancePublisher(GenericPublisher):
person = self.getPortalObject().ERP5Site_getAuthenticatedMemberPersonValue() person = self.getPortalObject().ERP5Site_getAuthenticatedMemberPersonValue()
if person is None: if person is None:
response.setStatus(404) transaction.abort()
response.setBody(json.dumps({'error': 'User does not exists.'})) LOG('VifibRestApiV1Tool', INFO,
'Currenty logged in user %r has no Person document.'%
self.getPortalObject().getAuthenticatedMember())
response.setStatus(500)
response.setBody(json.dumps({'error':
'There is system issue, please try again later.'}))
return response
request_dict = {} request_dict = {}
error_dict = {} error_dict = {}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment