summaryrefslogtreecommitdiff
path: root/talerblog/blog/blog.py
diff options
context:
space:
mode:
authorFlorian Dold <florian.dold@gmail.com>2018-02-01 07:20:12 +0100
committerFlorian Dold <florian.dold@gmail.com>2018-02-01 07:20:12 +0100
commit0e9953d1f905bf313a1bbe9581cac01c556a33e8 (patch)
tree6f6366e5a304a38c705531cb3144073a3d948040 /talerblog/blog/blog.py
parentd83dbc32bc117d88cdd0956700533e8bd038b627 (diff)
downloadblog-0e9953d1f905bf313a1bbe9581cac01c556a33e8.tar.gz
blog-0e9953d1f905bf313a1bbe9581cac01c556a33e8.tar.bz2
blog-0e9953d1f905bf313a1bbe9581cac01c556a33e8.zip
check that requested article name actually matches order
Diffstat (limited to 'talerblog/blog/blog.py')
-rw-r--r--talerblog/blog/blog.py19
1 files changed, 9 insertions, 10 deletions
diff --git a/talerblog/blog/blog.py b/talerblog/blog/blog.py
index 92b6de4..02d10d0 100644
--- a/talerblog/blog/blog.py
+++ b/talerblog/blog/blog.py
@@ -123,7 +123,6 @@ except ImportError:
paid_articles_cache = SimpleCache()
-
# Triggers the refund by serving /refund/test?order_id=XY.
# Will be triggered by a "refund button".
@app.route("/refund/<order_id>", methods=["POST"])
@@ -152,7 +151,6 @@ def refund(order_id):
json=resp, stack=traceback.format_exc())
-
def render_article(article_name, data, order_id):
article_info = ARTICLES.get(article_name)
if article_info is None:
@@ -163,7 +161,7 @@ def render_article(article_name, data, order_id):
return flask.send_file(get_image_file(data))
m = "Supplemental file ({}) for article ({}) not found.".format(
data, article_name)
- err_abort(500, message=m)
+ err_abort(404, message=m)
# the order_id is needed for refunds
return flask.render_template("templates/article_frame.html",
article_file=get_article_file(article_info),
@@ -216,16 +214,17 @@ def article(article_name, data=None):
pay_status = backend_get("check-payment", pay_params)
- if pay_status.get("payment_redirect_url"):
- return flask.redirect(pay_status["payment_redirect_url"])
-
- if pay_status.get("refunded"):
- return flask.render_template("templates/article_refunded.html",
- article_name=article_name)
-
if pay_status.get("paid"):
+ if pay_status["contract_terms"]["extra"]["article_name"] != article_name:
+ err_abort(402, message="You did not pay for this article (nice try!)", json=pay_status)
+ if pay_status.get("refunded"):
+ return flask.render_template("templates/article_refunded.html",
+ article_name=article_name)
paid_articles_cache.set(session_id + "-" + article_name, order_id)
return render_article(article_name, data, order_id)
+ else:
+ if pay_status.get("payment_redirect_url"):
+ return flask.redirect(pay_status["payment_redirect_url"])
# no pay_redirect but article not paid, this should never happen!
err_abort(500, message="Internal error, invariant failed", json=pay_status)