From 19aa273bf8af421c735eeb63d40e8009c587e9b8 Mon Sep 17 00:00:00 2001 From: Jennifer Taylor Date: Sat, 28 Aug 2021 19:02:04 +0000 Subject: [PATCH] Fix 500 error on requesting an invalid arcade on the frontend, remove possible enumeration via error checking. --- bemani/frontend/arcade/arcade.py | 27 +++++++-------------------- 1 file changed, 7 insertions(+), 20 deletions(-) diff --git a/bemani/frontend/arcade/arcade.py b/bemani/frontend/arcade/arcade.py index 61b7af9..9d81e25 100644 --- a/bemani/frontend/arcade/arcade.py +++ b/bemani/frontend/arcade/arcade.py @@ -138,7 +138,7 @@ def viewarcade(arcadeid: int) -> Response: arcadeid = ArcadeID(arcadeid) arcade = g.data.local.machine.get_arcade(arcadeid) - if g.userID not in arcade.owners: + if arcade is None or g.userID not in arcade.owners: abort(403) machines = [ format_machine(machine) for machine in g.data.local.machine.get_all_machines(arcade.id) @@ -178,9 +178,7 @@ def listarcade(arcadeid: int) -> Dict[str, Any]: # Make sure the arcade is valid arcade = g.data.local.machine.get_arcade(arcadeid) - if arcade is None: - raise Exception('Unable to find arcade to list!') - if g.userID not in arcade.owners: + if arcade is None or g.userID not in arcade.owners: raise Exception('You don\'t own this arcade, refusing to list!') machines = [ @@ -205,9 +203,7 @@ def addbalance(arcadeid: int) -> Dict[str, Any]: # Make sure the arcade is valid arcade = g.data.local.machine.get_arcade(arcadeid) - if arcade is None: - raise Exception('Unable to find arcade to update!') - if g.userID not in arcade.owners: + if arcade is None or g.userID not in arcade.owners: raise Exception('You don\'t own this arcade, refusing to update!') try: @@ -250,9 +246,7 @@ def updatebalance(arcadeid: int) -> Dict[str, Any]: # Make sure the arcade is valid arcade = g.data.local.machine.get_arcade(arcadeid) - if arcade is None: - raise Exception('Unable to find arcade to update!') - if g.userID not in arcade.owners: + if arcade is None or g.userID not in arcade.owners: raise Exception('You don\'t own this arcade, refusing to update!') # Update balances @@ -288,9 +282,7 @@ def updatepin(arcadeid: int) -> Dict[str, Any]: # Make sure the arcade is valid arcade = g.data.local.machine.get_arcade(arcadeid) - if arcade is None: - raise Exception('Unable to find arcade to update!') - if g.userID not in arcade.owners: + if arcade is None or g.userID not in arcade.owners: raise Exception('You don\'t own this arcade, refusing to update!') if not valid_pin(pin, 'arcade'): @@ -314,9 +306,7 @@ def updatearcade(arcadeid: int, attribute: str) -> Dict[str, Any]: # Attempt to look this arcade up new_value = request.get_json()['value'] arcade = g.data.local.machine.get_arcade(arcadeid) - if arcade is None: - raise Exception('Unable to find arcade to update!') - if g.userID not in arcade.owners: + if arcade is None or g.userID not in arcade.owners: raise Exception('You don\'t own this arcade, refusing to update!') if attribute == 'paseli_enabled': @@ -345,10 +335,7 @@ def updatesettings(arcadeid: int) -> Dict[str, Any]: # Attempt to look this arcade up arcade = g.data.local.machine.get_arcade(arcadeid) - - if arcade is None: - raise Exception('Unable to find arcade to update!') - if g.userID not in arcade.owners: + if arcade is None or g.userID not in arcade.owners: raise Exception('You don\'t own this arcade, refusing to update!') game = GameConstants(request.get_json()['game'])