Make somewhat clever function a little clearer

gratipay · Apr 13, 2017 · 2c2a3a5 · 2c2a3a5
1 parent 136591a
commit 2c2a3a5
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 8 deletions.
diff --git a/gratipay/exceptions.py b/gratipay/exceptions.py
@@ -87,3 +87,4 @@ def __str__(self):
         return "Negative balance not allowed in this context."
 
 class NotWhitelisted(Exception): pass
+class NoPackages(Exception): pass
diff --git a/gratipay/models/participant/email.py b/gratipay/models/participant/email.py
@@ -9,7 +9,7 @@
 
 import gratipay
 from gratipay.exceptions import EmailAlreadyVerified, EmailTaken, CannotRemovePrimaryEmail
-from gratipay.exceptions import EmailNotVerified, TooManyEmailAddresses, EmailNotOnFile
+from gratipay.exceptions import EmailNotVerified, TooManyEmailAddresses, EmailNotOnFile, NoPackages
 from gratipay.security.crypto import constant_time_compare
 from gratipay.utils import encode_for_querystring
 
@@ -132,7 +132,8 @@ def get_email_verification_link(self, c, email, *packages):
                           , dict(id=self.id, action='add', values=dict(email=email))
                            )
         nonce = self.get_email_verification_nonce(c, email)
-        self.start_package_claims(c, nonce, *packages)
+        if packages:
+            self.start_package_claims(c, nonce, *packages)
         link = "{base_url}/~{username}/emails/verify.html?email2={encoded_email}&nonce={nonce}"
         return link.format( base_url=gratipay.base_url
                           , username=self.username_lower
@@ -177,16 +178,20 @@ def get_email_verification_nonce(self, c, email):
 
     def start_package_claims(self, c, nonce, *packages):
         """Takes a cursor, nonce and list of packages, inserts into ``claims``
-        and returns ``None``.
+        and returns ``None`` (or raise :py:exc:`NoPackages`).
         """
         if not packages:
-            return
-        VALUES, values = [], []
+            raise NoPackages()
+
+        # We want to make a single db call to insert all claims, so we need to
+        # do a little SQL construction. Do it in such a way that we still avoid
+        # Python string interpolation (~= SQLi vector).
+
+        extra_sql, values = '', []
         for p in packages:
-            VALUES.append('(%s, %s)')
+            extra_sql += ' (%s, %s)'
             values += [nonce, p.id]
-        VALUES = ', '.join(VALUES)
-        c.run('INSERT INTO claims (nonce, package_id) VALUES ' + VALUES, values)
+        c.run('INSERT INTO claims (nonce, package_id) VALUES' + extra_sql, values)
         self.app.add_event( c
                           , 'participant'
                           , dict( id=self.id