From f3bbd025bd789bf6f4177cd1e960b95d7a589945 Mon Sep 17 00:00:00 2001
From: Andreas Ellewsen <ae@uio.no>
Date: Tue, 23 Nov 2021 14:53:54 +0100
Subject: [PATCH] Handle pure django users in userinfo endpoint

Any user that does not have a GregUserProfile must be a superuser so
this is not a problem per se, but it should be handled. For now we
simply treat them as an anonymous user and deny access.

Resolves: GREG-116
---
 gregui/api/views/userinfo.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/gregui/api/views/userinfo.py b/gregui/api/views/userinfo.py
index a16fe70c..e876ec09 100644
--- a/gregui/api/views/userinfo.py
+++ b/gregui/api/views/userinfo.py
@@ -39,7 +39,10 @@ class UserInfoView(APIView):
 
         # Authenticated user, allow access
         if user.is_authenticated:
-            user_profile = GregUserProfile.objects.get(user=user)
+            try:
+                user_profile = GregUserProfile.objects.get(user=user)
+            except GregUserProfile.DoesNotExist:
+                return Response(status=HTTP_403_FORBIDDEN)
             sponsor_id = None
             person_id = None
             if user_profile.sponsor:
-- 
GitLab