Change API calls that expect non-robots to explicitly filter

Before this change, we'd filter in the UI but calls to the API could allow robots accounts where we only expect real users

data/model/legacy.py

@@ -642,6 +642,13 @@ def find_user_by_email(email):
     return None
 
 
+def get_nonrobot_user(username):
+  try:
+    return User.get(User.username == username, User.organization == False, User.robot == False)
+  except User.DoesNotExist:
+    return None
+
+
 def get_user(username):
   try:
     return User.get(User.username == username, User.organization == False)

endpoints/api/superuser.py

@@ -238,8 +238,8 @@ class SuperUserSendRecoveryEmail(ApiResource):
   @nickname('sendInstallUserRecoveryEmail')
   def post(self, username):
     if SuperUserPermission().can():
-      user = model.get_user(username)
-      if not user or user.organization or user.robot:
+      user = model.get_nonrobot_user(username)
+      if not user:
         abort(404)
 
       if superusers.is_superuser(username):
@@ -288,8 +288,8 @@ class SuperUserManagement(ApiResource):
   def get(self, username):
     """ Returns information about the specified user. """
     if SuperUserPermission().can():
-      user = model.get_user(username)
-      if not user or user.organization or user.robot:
+      user = model.get_nonrobot_user(username)
+      if not user:
         abort(404)
 
       return user_view(user)
@@ -302,8 +302,8 @@ class SuperUserManagement(ApiResource):
   def delete(self, username):
     """ Deletes the specified user. """
     if SuperUserPermission().can():
-      user = model.get_user(username)
-      if not user or user.organization or user.robot:
+      user = model.get_nonrobot_user(username)
+      if not user:
         abort(404)
 
       if superusers.is_superuser(username):
@@ -321,8 +321,8 @@ class SuperUserManagement(ApiResource):
   def put(self, username):
     """ Updates information about the specified user. """
     if SuperUserPermission().can():
-        user = model.get_user(username)
-        if not user or user.organization or user.robot:
+        user = model.get_nonrobot_user(username)
+        if not user:
           abort(404)
 
         if superusers.is_superuser(username):

endpoints/api/user.py

@@ -281,7 +281,7 @@ class User(ApiResource):
     user_data = request.get_json()
     invite_code = user_data.get('invite_code', '')
 
-    existing_user = model.get_user(user_data['username'])
+    existing_user = model.get_nonrobot_user(user_data['username'])
     if existing_user:
       raise request_error(message='The username already exists')
 
@@ -821,8 +821,8 @@ class Users(ApiResource):
   @nickname('getUserInformation')
   def get(self, username):
     """ Get user information for the specified user. """
-    user = model.get_user(username)
-    if user is None or user.organization or user.robot:
+    user = model.get_nonrobot_user(username)
+    if user is None:
       abort(404)
 
     return user_view(user)

endpoints/notificationmethod.py

@@ -71,7 +71,7 @@ class QuayNotificationMethod(NotificationMethod):
     target_info = config_data['target']
 
     if target_info['kind'] == 'user':
-      target = model.get_user(target_info['name'])
+      target = model.get_nonrobot_user(target_info['name'])
       if not target:
         # Just to be safe.
         return (True, 'Unknown user %s' % target_info['name'], [])

tools/sendconfirmemail.py

@@ -10,7 +10,7 @@ from flask import Flask, current_app
 from flask_mail import Mail
 
 def sendConfirmation(username):
-  user = model.get_user(username)
+  user = model.get_nonrobot_user(username)
   if not user:
     print 'No user found'
     return

tools/sendresetemail.py

@@ -10,7 +10,7 @@ from flask import Flask, current_app
 from flask_mail import Mail
 
 def sendReset(username):
-  user = model.get_user(username)
+  user = model.get_nonrobot_user(username)
   if not user:
     print 'No user found'
     return