hashview/jobs/routes.py — jobs_delete, jobs_start, and jobs_stop all do:
```python
job = Jobs.query.get(job_id)
if current_user.admin or job.owner_id == current_user.id:
...
```
If job_id doesn't exist, Jobs.query.get() returns None, then job.owner_id raises AttributeError, yielding a 500.
Repro: log in, visit /jobs/delete/99999999 (or /jobs/start/99999999 / /jobs/stop/99999999). 500.
Suggested fix: these routes were intentionally left untouched by the recent ownership audit (which introduced _authorize_job_or_abort in the same module). Migrating delete/start/stop to that helper resolves both the null-deref and unifies the auth check. Alternatively, an explicit if job is None: abort(404) works.
hashview/jobs/routes.py—jobs_delete,jobs_start, andjobs_stopall do:```python
job = Jobs.query.get(job_id)
if current_user.admin or job.owner_id == current_user.id:
...
```
If
job_iddoesn't exist,Jobs.query.get()returnsNone, thenjob.owner_idraisesAttributeError, yielding a 500.Repro: log in, visit
/jobs/delete/99999999(or/jobs/start/99999999//jobs/stop/99999999). 500.Suggested fix: these routes were intentionally left untouched by the recent ownership audit (which introduced
_authorize_job_or_abortin the same module). Migrating delete/start/stop to that helper resolves both the null-deref and unifies the auth check. Alternatively, an explicitif job is None: abort(404)works.