From f4dc0ea7f149bf6df2f1e36a7863e137b301b971 Mon Sep 17 00:00:00 2001 From: Mike Lang Date: Sat, 26 Oct 2024 12:42:50 +1100 Subject: [PATCH] thrimshim: Fix auth query again, hopefully properly this time --- thrimshim/thrimshim/main.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/thrimshim/thrimshim/main.py b/thrimshim/thrimshim/main.py index 6eff01a..493d1af 100644 --- a/thrimshim/thrimshim/main.py +++ b/thrimshim/thrimshim/main.py @@ -66,12 +66,12 @@ def check_user(request, role): # check whether user is in the database email = idinfo['email'].lower() conn = app.db_manager.get_conn() - query = """ + query = sql.SQL(""" SELECT 1 FROM roles - WHERE lower(email) = %(email)s AND %(role)s - """ - results = database.query(conn, query, email=email, role=role) + WHERE lower(email) = %(email)s AND {} + """).format(sql.Identifier(role)) + results = database.query(conn, query, email=email) row = results.fetchone() if row is None: return 'Unknown user. Access denied.', 403