From d3ceb81cc3906c162bd72e77c81db4e2693bbd1e Mon Sep 17 00:00:00 2001
From: Christian Merten <christian@merten.dev>
Date: Tue, 3 Dec 2024 00:17:18 +0100
Subject: [PATCH] members/echo: check key validity before password requesting
 password

---
 jdav_web/members/views.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/jdav_web/members/views.py b/jdav_web/members/views.py
index f737976..57f0703 100644
--- a/jdav_web/members/views.py
+++ b/jdav_web/members/views.py
@@ -124,6 +124,13 @@ def echo(request):
         return HttpResponseRedirect(reverse('startpage:index'))
 
     if request.method == 'GET':
+        key = request.GET['key']
+        # try to get a member from the supplied echo key
+        try:
+            member = Member.objects.get(echo_key=key)
+        except Member.DoesNotExist:
+            return render_echo_failed(request, _("invalid"))
+
         # show password
         return render_echo_password(request, request.GET['key'])