]> git.openstreetmap.org Git - osqa.git/blobdiff - forum/badges/base.py
fix breach in award points that allows user to award infinite points
[osqa.git] / forum / badges / base.py
index 79fcb523c73d5b1d1ab7c9a25becedc5cac40ca0..c78a925e80685242a3b903752c1a63e789bea651 100644 (file)
@@ -20,10 +20,12 @@ class BadgesMeta(type):
 
         if not dic.get('abstract', False):
             if not name in installed:
 
         if not dic.get('abstract', False):
             if not name in installed:
-                badge.ondb = Badge(cls=name, type=dic.get('type', Badge.BRONZE))
-                badge.ondb.save()
+                ondb = Badge(cls=name, type=dic.get('type', Badge.BRONZE))
+                ondb.save()
             else:
             else:
-                badge.ondb = installed[name]
+                ondb = installed[name]
+
+            badge.ondb = ondb.id
 
             inst = badge()
 
 
             inst = badge()
 
@@ -36,9 +38,8 @@ class BadgesMeta(type):
             for action in badge.listen_to:
                 action.hook(hook)
 
             for action in badge.listen_to:
                 action.hook(hook)
 
-            BadgesMeta.by_class[name] = badge
-            badge.ondb.__dict__['_class'] = inst
-            BadgesMeta.by_id[badge.ondb.id] = badge
+            BadgesMeta.by_class[name] = inst
+            BadgesMeta.by_id[ondb.id] = inst
 
         return badge
 
 
         return badge
 
@@ -58,18 +59,19 @@ class AbstractBadge(object):
 
     @classmethod
     def award(cls, user, action, once=False):
 
     @classmethod
     def award(cls, user, action, once=False):
+        db_object = Badge.objects.get(id=cls.ondb)
         try:
             if once:
                 node = None
         try:
             if once:
                 node = None
-                awarded = AwardAction.get_for(user, cls.ondb)
+                awarded = AwardAction.get_for(user, db_object)
             else:
                 node = action.node
             else:
                 node = action.node
-                awarded = AwardAction.get_for(user, cls.ondb, node)
+                awarded = AwardAction.get_for(user, db_object, node)
 
             trigger = isinstance(action, Action) and action or None
 
             if not awarded:
 
             trigger = isinstance(action, Action) and action or None
 
             if not awarded:
-                AwardAction(user=user, node=node).save(data=dict(badge=cls.ondb, trigger=trigger))
+                AwardAction(user=user, node=node).save(data=dict(badge=db_object, trigger=trigger))
         except MultipleObjectsReturned:
             if node:
                 logging.error('Found multiple %s badges awarded for user %s (%s)' % (self.name, user.username, user.id))
         except MultipleObjectsReturned:
             if node:
                 logging.error('Found multiple %s badges awarded for user %s (%s)' % (self.name, user.username, user.id))