From 367059ddef14a495e277f68ceaf3455c092f839d Mon Sep 17 00:00:00 2001
From: Étienne Loks <etienne.loks@iggdrasil.net>
Date: Tue, 11 Apr 2023 12:27:23 +0200
Subject: bandit checker: mark false security issues - fix security issues (low
 severity)

---
 ishtar_common/views.py | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

(limited to 'ishtar_common/views.py')

diff --git a/ishtar_common/views.py b/ishtar_common/views.py
index ac4e995d1..ba9be495a 100644
--- a/ishtar_common/views.py
+++ b/ishtar_common/views.py
@@ -1256,8 +1256,9 @@ class QRCodeView(DynamicModelView, IshtarMixin, LoginRequiredMixin, View):
         model = self.get_model(kwargs)
         try:
             item = model.objects.get(pk=kwargs.get("pk"))
-            assert hasattr(item, "qrcode")
-        except (model.DoesNotExist, AssertionError):
+        except model.DoesNotExist:
+            raise Http404()
+        if not hasattr(item, "qrcode"):
             raise Http404()
 
         if not item.qrcode or not item.qrcode.name:
@@ -2191,8 +2192,9 @@ class DocumentEditView(DocumentFormMixin, UpdateView):
         kwargs = super(DocumentEditView, self).get_form_kwargs()
         try:
             document = models.Document.objects.get(pk=self.kwargs.get("pk"))
-            assert check_permission(self.request, "document/edit", document.pk)
-        except (AssertionError, models.Document.DoesNotExist):
+        except models.Document.DoesNotExist:
+            raise Http404()
+        if not check_permission(self.request, "document/edit", document.pk):
             raise Http404()
         initial = {}
         for k in (
@@ -2475,7 +2477,8 @@ class QAItemForm(IshtarMixin, LoginRequiredMixin, FormView):
         return self.model.get_quick_action_by_url(self.base_url)
 
     def pre_dispatch(self, request, *args, **kwargs):
-        assert self.model
+        if not self.model:
+            raise NotImplementedError("No attribute model defined.")
         pks = [int(pk) for pk in kwargs.get("pks").split("-")]
         self.items = list(self.model.objects.filter(pk__in=pks))
         if not self.items:
@@ -2836,8 +2839,10 @@ class GeoEditView(GeoFormMixin, UpdateView):
         kwargs = super(GeoEditView, self).get_form_kwargs()
         try:
             geo = models.GeoVectorData.objects.get(pk=self.kwargs.get("pk"))
-            assert check_permission(self.request, "geo/edit", geo.pk)
-        except (AssertionError, models.GeoVectorData.DoesNotExist):
+        except models.GeoVectorData.DoesNotExist:
+            raise Http404()
+
+        if not check_permission(self.request, "geo/edit", geo.pk):
             raise Http404()
         initial = {}
 
-- 
cgit v1.2.3