/players/<player_id> 500s on logged-out users

usgo / online-ratings

AGA Online Ratings protocol and implementation

MIT License

23 stars 12 forks source link

/players/<player_id> 500s on logged-out users #44

Closed brilee closed 8 years ago

brilee commented 8 years ago

the permission check from {% if user.can_reset_player_token(player) %}<tr><td>Token</td><td>{{ player.token }}</td></tr>{% endif %} is an error when user is an AnonymousUserMixin object, instead of our model-defined User object.

{% if not user.is_anonymous and user.can_reset_player_token(player) %}<tr><td>Token</td><td>{{ player.token }}</td></tr>{% endif %} should fix the issue; needs to be tested.

brilee commented 8 years ago

Problem is fundamentally that flask.ext.login.current_user is not guaranteed to be an instance of User; is only an instance of UserMixin. So you can't directly call any methods of User...

brilee commented 8 years ago

I moved the can_reset_player_token-related stuff to the profile page, which is by definition restricted to logged-in users.