From a6000aec2a291d723171cbf56449b6a9369d7cea Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <ynerant@crans.org>
Date: Fri, 29 Jan 2021 10:24:00 +0100
Subject: [PATCH 1/3] Fix permission to view user detail

---
 apps/registration/views.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/registration/views.py b/apps/registration/views.py
index 00a3616..6997c93 100644
--- a/apps/registration/views.py
+++ b/apps/registration/views.py
@@ -242,7 +242,7 @@ class UserDetailView(LoginRequiredMixin, DetailView):
         user = self.get_object()
         if user == me or me.registration.is_admin or me.registration.is_volunteer \
                 and user.registration.participates and user.registration.team \
-                and user.registration.team.participation.tournament in user.registration.organized_tournaments.all() \
+                and user.registration.team.participation.tournament in me.registration.organized_tournaments.all() \
                 or user.registration.is_volunteer and me.registration.is_volunteer \
                 and me.registration.interesting_tournaments.intersection(user.registration.intersting_tournaments):
             return super().dispatch(request, *args, **kwargs)

From 67540df3346d6ad71b118218ef637828785ca88d Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <ynerant@crans.org>
Date: Fri, 29 Jan 2021 10:31:30 +0100
Subject: [PATCH 2/3] Fix error message when a tournament is not specified

---
 apps/registration/views.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/apps/registration/views.py b/apps/registration/views.py
index 6997c93..a938ede 100644
--- a/apps/registration/views.py
+++ b/apps/registration/views.py
@@ -376,10 +376,10 @@ class AuthorizationTemplateView(TemplateView):
             if registration.user == self.request.user \
                     or self.request.user.is_authenticated and self.request.user.registration.is_admin:
                 context["registration"] = registration
-        if "tournament_id" in self.request.GET:
+        if "tournament_id" in self.request.GET and self.request.GET.get("tournament_id"):
             context["tournament"] = Tournament.objects.get(pk=self.request.GET.get("tournament_id"))
         else:
-            raise ValueError("Merci d'indiquer un tournoi.")
+            raise PermissionDenied("Merci d'indiquer un tournoi.")
 
         return context
 

From 2367131316e8dc4bf254c5cba6fcabe24b824d11 Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <ynerant@crans.org>
Date: Fri, 29 Jan 2021 10:33:06 +0100
Subject: [PATCH 3/3] Raise error when a given tournament does not exist

---
 apps/registration/views.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/apps/registration/views.py b/apps/registration/views.py
index a938ede..be6397a 100644
--- a/apps/registration/views.py
+++ b/apps/registration/views.py
@@ -376,7 +376,9 @@ class AuthorizationTemplateView(TemplateView):
             if registration.user == self.request.user \
                     or self.request.user.is_authenticated and self.request.user.registration.is_admin:
                 context["registration"] = registration
-        if "tournament_id" in self.request.GET and self.request.GET.get("tournament_id"):
+        if "tournament_id" in self.request.GET and self.request.GET.get("tournament_id").isnumeric():
+            if not Tournament.objects.filter(pk=self.request.get("tournament_id")).exists():
+                raise PermissionDenied("Ce tournoi n'existe pas.")
             context["tournament"] = Tournament.objects.get(pk=self.request.GET.get("tournament_id"))
         else:
             raise PermissionDenied("Merci d'indiquer un tournoi.")