From 29cc4d928051bd05fb00f3fd1df463ab8598e0f1 Mon Sep 17 00:00:00 2001
From: Alejandro Sirgo Rica <asirgo@soleta.eu>
Date: Wed, 19 Jun 2024 12:29:45 +0200
Subject: views: prevent user removal after password mismatch in user/edit

If password and confirm password fields mismatch in user/edit,
then the user is deleted.

The deletion of the user happens before the password validation
and the new user configuration is only saved if the validation
passes.

Add code to properly handle the user deletion after the validation.
---
 ogcp/views.py | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'ogcp')

diff --git a/ogcp/views.py b/ogcp/views.py
index f023d1f..59e138c 100644
--- a/ogcp/views.py
+++ b/ogcp/views.py
@@ -2903,12 +2903,18 @@ def save_user(form, preserve_pwd):
     with open(filename, 'r+') as file:
         config = json.load(file)
 
+        old_user = get_user(username)
+
+        if old_user:
+            config['USERS'].remove(old_user)
         config['USERS'].append(user)
 
         file.seek(0)
         json.dump(config, file, indent='\t')
         file.truncate()
 
+    if old_user:
+        app.config['USERS'].remove(old_user)
     app.config['USERS'].append(user)
 
     return redirect(url_for('users'))
@@ -2998,8 +3004,6 @@ def user_edit_post():
     if preserve_pwd:
         form.pwd.data = old_user_data.get("PASS")
 
-    delete_user(username)
-
     return save_user(form, preserve_pwd)
 
 
-- 
cgit v1.2.3-18-g5258