Bugfixes edit user list (Fix #1938)

2021-05-01 08:36:15 +02:00
parent ed2fa4cdd8
commit 64696fe973
3 changed files with 76 additions and 52 deletions
--- a/cps/admin.py
+++ b/cps/admin.py
@ -303,6 +303,7 @@ def list_users():
@admin_required
 def delete_user():
    user_ids = request.form.to_dict(flat=False)
+    users = None
    if "userid[]" in user_ids:
        users = ub.session.query(ub.User).filter(ub.User.id.in_(user_ids['userid[]'])).all()
    elif "userid" in user_ids:
@ -394,27 +395,42 @@ def edit_list_user(param):
                elif param == 'kindle_mail':
                    user.kindle_mail = valid_email(vals['value']) if vals['value'] else ""
                elif param.endswith('role'):
-                    if user.name == "Guest" and int(vals['field_index']) in \
+                    value = int(vals['field_index'])
+                    if user.name == "Guest" and value in \
                                 [constants.ROLE_ADMIN, constants.ROLE_PASSWD, constants.ROLE_EDIT_SHELFS]:
                        raise Exception(_("Guest can't have this role"))
-                    if vals['value'] == 'true':
-                        user.role |= int(vals['field_index'])
+                    # check for valid value, last on checks for power of 2 value
+                    if value > 0 and value <= constants.ROLE_VIEWER and (value & value-1 == 0 or value == 1):
+                        if vals['value'] == 'true':
+                            user.role |= value
+                        elif vals['value'] == 'false':
+                            if value == constants.ROLE_ADMIN:
+                                if not ub.session.query(ub.User).\
+                                       filter(ub.User.role.op('&')(constants.ROLE_ADMIN) == constants.ROLE_ADMIN,
+                                              ub.User.id != user.id).count():
+                                    return Response(
+                                        json.dumps([{'type': "danger",
+                                                     'message':_(u"No admin user remaining, can't remove admin role",
+                                                                 nick=user.name)}]), mimetype='application/json')
+                            user.role &= ~value
+                        else:
+                            raise Exception(_("Value has to be true or false"))
                    else:
-                        if int(vals['field_index']) == constants.ROLE_ADMIN:
-                            if not ub.session.query(ub.User).\
-                                   filter(ub.User.role.op('&')(constants.ROLE_ADMIN) == constants.ROLE_ADMIN,
-                                          ub.User.id != user.id).count():
-                                return Response(json.dumps([{'type': "danger",
-                                                            'message':_(u"No admin user remaining, can't remove admin role",
-                                                                        nick=user.name)}]), mimetype='application/json')
-                        user.role &= ~int(vals['field_index'])
+                        raise Exception(_("Invalid role"))
                elif param.startswith('sidebar'):
-                    if user.name == "Guest" and int(vals['field_index']) == constants.SIDEBAR_READ_AND_UNREAD:
+                    value = int(vals['field_index'])
+                    if user.name == "Guest" and value == constants.SIDEBAR_READ_AND_UNREAD:
                        raise Exception(_("Guest can't have this view"))
-                    if vals['value'] == 'true':
-                        user.sidebar_view |= int(vals['field_index'])
+                    # check for valid value, last on checks for power of 2 value
+                    if value > 0 and value <= constants.SIDEBAR_LIST and (value & value-1 == 0 or value == 1):
+                        if vals['value'] == 'true':
+                            user.sidebar_view |= value
+                        elif vals['value'] == 'false':
+                            user.sidebar_view &= ~value
+                        else:
+                            raise Exception(_("Value has to be true or false"))
                    else:
-                        user.sidebar_view &= ~int(vals['field_index'])
+                        raise Exception(_("Invalid view"))
                elif param == 'locale':
                    if user.name == "Guest":
                        raise Exception(_("Guest's Locale is determined automatically and can't be set"))
@ -664,6 +680,8 @@ def restriction_deletion(element, list_func):
 def prepare_tags(user, action, tags_name, id_list):
    if "tags" in tags_name:
        tags = calibre_db.session.query(db.Tags).filter(db.Tags.id.in_(id_list)).all()
+        if not tags:
+            raise Exception(_("Tag not found"))
        new_tags_list = [x.name for x in tags]
    else:
        tags = calibre_db.session.query(db.cc_classes[config.config_restricted_column])\
@ -672,8 +690,10 @@ def prepare_tags(user, action, tags_name, id_list):
    saved_tags_list = user.__dict__[tags_name].split(",") if len(user.__dict__[tags_name]) else []
    if action == "remove":
        saved_tags_list = [x for x in saved_tags_list if x not in new_tags_list]
-    else:
+    elif action == "add":
        saved_tags_list.extend(x for x in new_tags_list if x not in saved_tags_list)
+    else:
+        raise Exception(_("Invalid Action"))
    return ",".join(saved_tags_list)