profile view passes raw GET string as user lookup key with no DoesNotExist handling

[vjpixel]

Description

In src/users/views.py, the profile() view reads the user parameter directly from the query string (request.GET.get("user")) and passes it as-is to Profile.objects.get(user=user). This raw string value is used without validation or error handling, which can result in unhandled exceptions and HTTP 500 errors.

Location

File: src/users/views.py
Function: profile()
Branch: develop

Current Code

@login_required
@require_http_methods(["GET"])
def profile(request):
    user = request.GET.get("user")
    if not user:
        user = request.user
    profile = Profile.objects.prefetch_related(...).get(user=user)
    ...

Problems

1. No type validation: When user comes from request.GET, it is a string (e.g., "42" or "someusername"). Passing this to .get(user=user) performs a lookup on the ForeignKey field. If the value is not a valid integer ID, a ValueError or TypeError is raised.

2. No DoesNotExist handling: If the provided user ID does not match any Profile, Profile.DoesNotExist is raised and results in an unhandled HTTP 500 error instead of a 404.

3. Unclear semantics: The parameter name is user but the query is on Profile via the ForeignKey. It is not clear whether the value is expected to be a user ID or something else.

Suggested Fix

@login_required
@require_http_methods(["GET"])
def profile(request):
    user_param = request.GET.get("user")
    if not user_param:
        user = request.user
    else:
        try:
            user_id = int(user_param)
        except (ValueError, TypeError):
            raise Http404
        user = get_object_or_404(User, id=user_id)

    profile = get_object_or_404(
        Profile.objects.prefetch_related(...),
        user=user
    )
    ...

Severity

High — Passing an invalid or non-existent user ID to this view causes an unhandled HTTP 500 error.

[pablodiegoss]

The problem is LGTM, but the suggested fix does not make a lot of sense. I'm not sure why we currently have 2 ways of retrieving the user for the profile page, probably only one of those work (I guess the request.user is being used ) and the other one is never used, the solution here is probably removing the request.GET.get user and making the necessary validations, not keeping both versions and adding exception handling to something that is never used.