Skip to content

Commit 9855dc0

Browse files
authored
Merge pull request #655 from will-moore/switch_active_group_valueerror_fix
Handle invalid group id in switch_active_group
2 parents 1429a04 + 7ed8986 commit 9855dc0

File tree

1 file changed

+11
-4
lines changed

1 file changed

+11
-4
lines changed

omeroweb/webclient/views.py

Lines changed: 11 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -349,25 +349,32 @@ def change_active_group(request, conn=None, url=None, **kwargs):
349349
queries.
350350
Finally this redirects to the 'url'.
351351
"""
352-
switch_active_group(request)
352+
switch_active_group(request, conn=conn)
353353
# avoid recursive calls
354354
if url is None or url.startswith(reverse("change_active_group")):
355355
url = reverse("webindex")
356356
url = validate_redirect_url(url)
357357
return HttpResponseRedirect(url)
358358

359359

360-
def switch_active_group(request, active_group=None):
360+
def switch_active_group(request, active_group=None, conn=None):
361361
"""
362362
Simply changes the request.session['active_group'] which is then used by
363363
the @login_required decorator to configure conn for any group-based
364364
queries.
365365
"""
366366
if active_group is None:
367-
active_group = get_long_or_default(request, "active_group", None)
367+
try:
368+
active_group = get_long_or_default(request, "active_group", None)
369+
except ValueError:
370+
pass
368371
if active_group is None:
369372
return
370-
active_group = int(active_group)
373+
# validate group exists and user is a member of this group (or admin)
374+
if conn is not None:
375+
group = conn.getObject("ExperimenterGroup", active_group)
376+
if group is None or not conn.isValidGroup(active_group):
377+
return
371378
if (
372379
"active_group" not in request.session
373380
or active_group != request.session["active_group"]

0 commit comments

Comments
 (0)