fix breach in award points that allows user to award infinite points / extra fix

[osqa.git] / forum / views / users.py

diff --git a/forum/views/users.py b/forum/views/users.py
index c6fae00e31a08d96615d6ed828c73fe239d16272..adf9b5959d2f9ebca8a31f6b9077c33116dc487a 100644 (file)
--- a/forum/views/users.py
+++ b/forum/views/users.py
@@ -211,6 +211,11 @@ def award_points(request, id):
     except:
         raise decorators.CommandException(_("Invalid number of points to award."))
 
+    awarding_user = get_object_or_404(User, id=request.user.pk)
+
+    if points > awarding_user.reputation:
+        raise decorators.CommandException(_("Invalid number of points to award."))
+
     user = get_object_or_404(User, id=id)
 
     extra = dict(message=request.POST.get('message', ''), awarding_user=request.user.id, value=points)