From 0e9953d1f905bf313a1bbe9581cac01c556a33e8 Mon Sep 17 00:00:00 2001 From: Florian Dold Date: Thu, 1 Feb 2018 07:20:12 +0100 Subject: check that requested article name actually matches order --- talerblog/blog/blog.py | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) (limited to 'talerblog/blog/blog.py') diff --git a/talerblog/blog/blog.py b/talerblog/blog/blog.py index 92b6de4..02d10d0 100644 --- a/talerblog/blog/blog.py +++ b/talerblog/blog/blog.py @@ -123,7 +123,6 @@ except ImportError: paid_articles_cache = SimpleCache() - # Triggers the refund by serving /refund/test?order_id=XY. # Will be triggered by a "refund button". @app.route("/refund/", methods=["POST"]) @@ -152,7 +151,6 @@ def refund(order_id): json=resp, stack=traceback.format_exc()) - def render_article(article_name, data, order_id): article_info = ARTICLES.get(article_name) if article_info is None: @@ -163,7 +161,7 @@ def render_article(article_name, data, order_id): return flask.send_file(get_image_file(data)) m = "Supplemental file ({}) for article ({}) not found.".format( data, article_name) - err_abort(500, message=m) + err_abort(404, message=m) # the order_id is needed for refunds return flask.render_template("templates/article_frame.html", article_file=get_article_file(article_info), @@ -216,16 +214,17 @@ def article(article_name, data=None): pay_status = backend_get("check-payment", pay_params) - if pay_status.get("payment_redirect_url"): - return flask.redirect(pay_status["payment_redirect_url"]) - - if pay_status.get("refunded"): - return flask.render_template("templates/article_refunded.html", - article_name=article_name) - if pay_status.get("paid"): + if pay_status["contract_terms"]["extra"]["article_name"] != article_name: + err_abort(402, message="You did not pay for this article (nice try!)", json=pay_status) + if pay_status.get("refunded"): + return flask.render_template("templates/article_refunded.html", + article_name=article_name) paid_articles_cache.set(session_id + "-" + article_name, order_id) return render_article(article_name, data, order_id) + else: + if pay_status.get("payment_redirect_url"): + return flask.redirect(pay_status["payment_redirect_url"]) # no pay_redirect but article not paid, this should never happen! err_abort(500, message="Internal error, invariant failed", json=pay_status) -- cgit v1.2.3