From 4ebdcb719a348be072b1b032d74aa6aee1b1554f Mon Sep 17 00:00:00 2001
From: ☃ Stephen Shkardoon ☃ <ss23@ss23.geek.nz>
Date: Tue, 7 Apr 2020 07:03:22 +1200
Subject: db: include the Team ID in the error message (#6056)

This means that when using the API to create a new team, the output
contains the existing team ID, not just the name.
While there may be the thought that this reveals sensitive
information, it is never the case that a user can create or update
a team without permission to view the teams in the first place.
---
 internal/db/org_team.go | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

(limited to 'internal/db/org_team.go')

diff --git a/internal/db/org_team.go b/internal/db/org_team.go
index f5309888..6e141d25 100644
--- a/internal/db/org_team.go
+++ b/internal/db/org_team.go
@@ -241,11 +241,12 @@ func NewTeam(t *Team) error {
 	}
 
 	t.LowerName = strings.ToLower(t.Name)
-	has, err = x.Where("org_id=?", t.OrgID).And("lower_name=?", t.LowerName).Get(new(Team))
+	existingTeam := Team{}
+	has, err = x.Where("org_id=?", t.OrgID).And("lower_name=?", t.LowerName).Get(&existingTeam)
 	if err != nil {
 		return err
 	} else if has {
-		return ErrTeamAlreadyExist{t.OrgID, t.LowerName}
+		return ErrTeamAlreadyExist{existingTeam.ID, t.OrgID, t.LowerName}
 	}
 
 	sess := x.NewSession()
@@ -346,11 +347,12 @@ func UpdateTeam(t *Team, authChanged bool) (err error) {
 	}
 
 	t.LowerName = strings.ToLower(t.Name)
-	has, err := x.Where("org_id=?", t.OrgID).And("lower_name=?", t.LowerName).And("id!=?", t.ID).Get(new(Team))
+	existingTeam := new(Team)
+	has, err := x.Where("org_id=?", t.OrgID).And("lower_name=?", t.LowerName).And("id!=?", t.ID).Get(&existingTeam)
 	if err != nil {
 		return err
 	} else if has {
-		return ErrTeamAlreadyExist{t.OrgID, t.LowerName}
+		return ErrTeamAlreadyExist{existingTeam.ID, t.OrgID, t.LowerName}
 	}
 
 	if _, err = sess.ID(t.ID).AllCols().Update(t); err != nil {
-- 
cgit v1.2.3