From e5f0631eda971cd53cd57303deefea6ec6c0a2b7 Mon Sep 17 00:00:00 2001
From: Flavio Tarsetti <flavio.tarsetti@idiap.ch>
Date: Fri, 28 Jul 2017 12:31:04 +0200
Subject: [PATCH] [accounts] patched api as request for supervision should be
made ONLY to godfather accounts
---
beat/web/accounts/api.py | 27 ++++++++++++++++++++++++++-
1 file changed, 26 insertions(+), 1 deletion(-)
diff --git a/beat/web/accounts/api.py b/beat/web/accounts/api.py
index 325c55dc1..81e18a25b 100644
--- a/beat/web/accounts/api.py
+++ b/beat/web/accounts/api.py
@@ -276,7 +276,32 @@ class SuperviseeAddGodfatherView(BaseCreateSupervisionTrackViewSupervisee):
permission_classes = BaseCreateSupervisionTrackViewSupervisee.permission_classes
def post(self, request, supervisor_name):
- godfather = User.objects.get(username=supervisor_name)
+ #check if user exists and its validity and if it's a godfather account
+ try:
+ godfather = User.objects.get(username=supervisor_name)
+ if not godfather.profile.is_godfather:
+ #Not a valid godfather
+ reason = "Not a valid godfather request"
+ result = {
+ 'error': reason,
+ }
+ return BadRequestResponse(result)
+ else:
+ if godfather.profile.status == Profile.BLOCKED:
+ #Not a valid godfather
+ reason = "Not a valid godfather request"
+ result = {
+ 'error': reason,
+ }
+ return BadRequestResponse(result)
+ except:
+ #This username does not exist but don't give too much information
+ reason = "Not a valid godfather request"
+ result = {
+ 'error': reason,
+ }
+ return BadRequestResponse(result)
+
supervisee = request.user
if supervisee.profile.supervision_key is not None:
#There's a key check if there's a valid track
--
GitLab