From c94ebba0b3eec20555cd1582124cef144e85b43f Mon Sep 17 00:00:00 2001 From: Seth Foster Date: Fri, 27 Sep 2019 10:10:03 -0400 Subject: [PATCH] Saving user session checks if User exists - Check that model User object exists with id=user_id before attempting to save to database - UserSessionMembership saves to the database using foreign key, User - However, User with matching id might not exist if browser sends request with stale cookies - Change made in regards to issue #4334 --- awx/main/signals.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/awx/main/signals.py b/awx/main/signals.py index 9846b11dd3..157db6515b 100644 --- a/awx/main/signals.py +++ b/awx/main/signals.py @@ -20,6 +20,7 @@ from django.db.models.signals import ( ) from django.dispatch import receiver from django.contrib.auth import SESSION_KEY +from django.contrib.auth.models import User from django.contrib.sessions.models import Session from django.utils import timezone @@ -684,7 +685,8 @@ def save_user_session_membership(sender, **kwargs): return if UserSessionMembership.objects.filter(user=user_id, session=session).exists(): return - UserSessionMembership(user_id=user_id, session=session, created=timezone.now()).save() + if User.objects.filter(id=int(user_id)).exists(): + UserSessionMembership(user_id=user_id, session=session, created=timezone.now()).save() expired = UserSessionMembership.get_memberships_over_limit(user_id) for membership in expired: Session.objects.filter(session_key__in=[membership.session_id]).delete()