diff options
author | Cédric Bonhomme <cedric@cedricbonhomme.org> | 2014-05-05 12:36:42 +0200 |
---|---|---|
committer | Cédric Bonhomme <cedric@cedricbonhomme.org> | 2014-05-05 12:36:42 +0200 |
commit | 3633fc4125da6605dde3a7cca760be79baf03429 (patch) | |
tree | a2516c9d1f13e4b919c9115ff13d537442b58d60 /pyaggr3g470r/views.py | |
parent | Integration of recaptcha module. (diff) | |
download | newspipe-3633fc4125da6605dde3a7cca760be79baf03429.tar.gz newspipe-3633fc4125da6605dde3a7cca760be79baf03429.tar.bz2 newspipe-3633fc4125da6605dde3a7cca760be79baf03429.zip |
Fixed a security problem.
Diffstat (limited to 'pyaggr3g470r/views.py')
-rw-r--r-- | pyaggr3g470r/views.py | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/pyaggr3g470r/views.py b/pyaggr3g470r/views.py index dbbaf5d0..a0373ef0 100644 --- a/pyaggr3g470r/views.py +++ b/pyaggr3g470r/views.py @@ -177,7 +177,7 @@ def signup(): lastname=form.lastname.data, email=form.email.data, pwdhash=generate_password_hash(form.password.data)) - user.roles.extend([role_user]) + user.roles = [role_user] db.session.add(user) try: db.session.commit() @@ -685,17 +685,18 @@ def create_user(user_id=None): if request.method == 'POST': if form.validate(): + role_user = Role.query.filter(Role.name == "user").first() if user_id is not None: # Edit a user user = User.query.filter(User.id == user_id).first() form.populate_obj(user) if form.password.data != "": user.set_password(form.password.data) + user.roles = [role_user] db.session.commit() flash(gettext('User') + ' ' + user.firstname + ' ' + gettext('successfully updated.'), 'success') else: # Create a new user - role_user = Role.query.filter(Role.name == "user").first() user = User(firstname=form.firstname.data, lastname=form.lastname.data, email=form.email.data, |