From: Javyer DerDerian <javierder@gmail.com>
Date: Mon, 23 Feb 2015 18:10:52 +0000 (-0300)
Subject: fix breach in award points that allows user to award infinite points
X-Git-Tag: live~17
X-Git-Url: https://git.openstreetmap.org/osqa.git/commitdiff_plain/fc4711d32acb2f0a4cbcf0bfe668189f3590db49

fix breach in award points that allows user to award infinite points
---

diff --git a/forum/views/users.py b/forum/views/users.py
index c6fae00..786320c 100644
--- a/forum/views/users.py
+++ b/forum/views/users.py
@@ -211,11 +211,16 @@ def award_points(request, id):
     except:
         raise decorators.CommandException(_("Invalid number of points to award."))
 
+    awarding_user = get_object_or_404(User, id=request.user.pk)
+
+    if points > awarding_user.reputation:
+        raise decorators.CommandException(_("Invalid number of points to award."))
+
     user = get_object_or_404(User, id=id)
 
     extra = dict(message=request.POST.get('message', ''), awarding_user=request.user.id, value=points)
 
-    BonusRepAction(user=request.user, extra=extra).save(data=dict(value=points, affected=user))
+    BonusRepAction(user=user, extra=extra).save(data=dict(value=points, affected=user))
 
     return {'commands': {
             'update_profile_karma': [user.reputation]