thrimshim: Fix auth query again, hopefully properly this time

3 weeks ago · f4dc0ea7f1
parent 48c91b7828
commit f4dc0ea7f1
1 changed files with 4 additions and 4 deletions
--- a/thrimshim/thrimshim/main.py
+++ b/thrimshim/thrimshim/main.py
@ -66,12 +66,12 @@ def check_user(request, role):
 	# check whether user is in the database
 	email = idinfo['email'].lower()
 	conn = app.db_manager.get_conn()
-	query = """
+	query = sql.SQL("""
 		SELECT 1
 		FROM roles
-		WHERE lower(email) = %(email)s AND %(role)s
-	"""
-	results = database.query(conn, query, email=email, role=role)
+		WHERE lower(email) = %(email)s AND {}
+	""").format(sql.Identifier(role))
+	results = database.query(conn, query, email=email)
 	row = results.fetchone()
 	if row is None:
 		return 'Unknown user. Access denied.', 403