]> git.openstreetmap.org Git - osqa.git/blobdiff - forum/badges/base.py
fix breach in award points that allows user to award infinite points
[osqa.git] / forum / badges / base.py
index 3af46f7c20496c0ac101e9af9658343f0528f571..c78a925e80685242a3b903752c1a63e789bea651 100644 (file)
@@ -1,7 +1,7 @@
 import re
 from string import lower
 
-from django.contrib.contenttypes.models import ContentType
+from django.core.exceptions import MultipleObjectsReturned
 from django.db.models.signals import post_save
 
 from forum.models import Badge, Node, Action
@@ -20,10 +20,12 @@ class BadgesMeta(type):
 
         if not dic.get('abstract', False):
             if not name in installed:
-                badge.ondb = Badge(cls=name, type=dic.get('type', Badge.BRONZE))
-                badge.ondb.save()
+                ondb = Badge(cls=name, type=dic.get('type', Badge.BRONZE))
+                ondb.save()
             else:
-                badge.ondb = installed[name]
+                ondb = installed[name]
+
+            badge.ondb = ondb.id
 
             inst = badge()
 
@@ -36,9 +38,8 @@ class BadgesMeta(type):
             for action in badge.listen_to:
                 action.hook(hook)
 
-            BadgesMeta.by_class[name] = badge
-            badge.ondb.__dict__['_class'] = inst
-            BadgesMeta.by_id[badge.ondb.id] = badge
+            BadgesMeta.by_class[name] = inst
+            BadgesMeta.by_id[ondb.id] = inst
 
         return badge
 
@@ -58,14 +59,21 @@ class AbstractBadge(object):
 
     @classmethod
     def award(cls, user, action, once=False):
-        if once:
-            node = None
-            awarded = AwardAction.get_for(user, cls.ondb)
-        else:
-            node = action.node
-            awarded = AwardAction.get_for(user, cls.ondb, node)
+        db_object = Badge.objects.get(id=cls.ondb)
+        try:
+            if once:
+                node = None
+                awarded = AwardAction.get_for(user, db_object)
+            else:
+                node = action.node
+                awarded = AwardAction.get_for(user, db_object, node)
 
-        trigger = isinstance(action, Action) and action or None
+            trigger = isinstance(action, Action) and action or None
 
-        if not awarded:
-            AwardAction(user=user, node=node, ip=action.ip).save(data=dict(badge=cls.ondb, trigger=trigger))
\ No newline at end of file
+            if not awarded:
+                AwardAction(user=user, node=node).save(data=dict(badge=db_object, trigger=trigger))
+        except MultipleObjectsReturned:
+            if node:
+                logging.error('Found multiple %s badges awarded for user %s (%s)' % (self.name, user.username, user.id))
+            else:
+                logging.error('Found multiple %s badges awarded for user %s (%s) and node %s' % (self.name, user.username, user.id, node.id))
\ No newline at end of file