From 525089a5315879769d8a985cb365b14cc03027d9 Mon Sep 17 00:00:00 2001
From: Pierre Jaury <pierre@jaury.eu>
Date: Tue, 13 Sep 2016 20:59:25 +0200
Subject: [PATCH] Do not leak information about existing domains or users

---
 admin/freeposte/admin/access.py | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/admin/freeposte/admin/access.py b/admin/freeposte/admin/access.py
index 34dbbfdd..eb7eea09 100644
--- a/admin/freeposte/admin/access.py
+++ b/admin/freeposte/admin/access.py
@@ -56,9 +56,7 @@ def domain_admin(args, kwargs, model, key):
     ``domain`` attribute which stores a related Domain instance).
     """
     obj = model.query.get(kwargs[key])
-    if not obj:
-        flask.abort(404)
-    else:
+    if obj:
         domain = obj if type(obj) is models.Domain else obj.domain
         return domain in flask_login.current_user.get_managed_domains()
 
@@ -79,9 +77,7 @@ def owner(args, kwargs, model, key):
     if kwargs[key] is None and model == models.User:
         return True
     obj = model.query.get(kwargs[key])
-    if not obj:
-        flask.abort(404)
-    else:
+    if obj:
         user = obj if type(obj) is models.User else obj.user
         return (
             user.email == flask_login.current_user.email