Issue #1886: Bad request when use project.slug instead project.id in API calls

2015-01-13 18:37:25 +01:00 · 2015-01-13 18:37:25 +01:00 · 268b6a7ad4
parent c2416dd622
commit 268b6a7ad4
2 changed files with 43 additions and 7 deletions
--- a/taiga/base/filters.py
+++ b/taiga/base/filters.py
@ -15,6 +15,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 import operator
 from functools import reduce
+import logging

 from django.db.models import Q
 from django.db.models.sql.where import ExtraWhere, OR, AND
@ -22,9 +23,12 @@ from django.db.models.sql.where import ExtraWhere, OR, AND
 from rest_framework import filters

 from taiga.base import tags
+from taiga.base import exceptions as exc

 from taiga.projects.models import Membership

+logger = logging.getLogger(__name__)
+

 class QueryParamsFilterMixin(filters.BaseFilterBackend):
    _special_values_dict = {
@ -92,8 +96,13 @@ class PermissionBasedFilterBackend(FilterBackend):

    def filter_queryset(self, request, queryset, view):
        project_id = None
-        if hasattr(view, "filter_fields") and "project" in view.filter_fields:
-            project_id = request.QUERY_PARAMS.get("project", None)
+        if (hasattr(view, "filter_fields") and "project" in view.filter_fields and
+                "project" in request.QUERY_PARAMS):
+            try:
+                project_id = int(request.QUERY_PARAMS["project"])
+            except:
+                logger.error("Filtering project diferent value than an integer: {}".format(request.QUERY_PARAMS["project"]))
+                raise exc.BadRequest("'project' must be an integer value.")

        qs = queryset

@ -103,11 +112,13 @@ class PermissionBasedFilterBackend(FilterBackend):
            memberships_qs = Membership.objects.filter(user=request.user)
            if project_id:
                memberships_qs = memberships_qs.filter(project_id=project_id)
-            memberships_qs = memberships_qs.filter(Q(role__permissions__contains=[self.permission]) | Q(is_owner=True))
+            memberships_qs = memberships_qs.filter(Q(role__permissions__contains=[self.permission]) |
+                                                   Q(is_owner=True))

            projects_list = [membership.project_id for membership in memberships_qs]

-            qs = qs.filter(Q(project_id__in=projects_list) | Q(project__public_permissions__contains=[self.permission]))
+            qs = qs.filter(Q(project_id__in=projects_list) |
+                           Q(project__public_permissions__contains=[self.permission]))
        else:
            qs = qs.filter(project__anon_permissions__contains=[self.permission])

@ -171,8 +182,13 @@ class CanViewWikiAttachmentFilterBackend(PermissionBasedAttachmentFilterBackend)
 class CanViewProjectObjFilterBackend(FilterBackend):
    def filter_queryset(self, request, queryset, view):
        project_id = None
-        if hasattr(view, "filter_fields") and "project" in view.filter_fields:
-            project_id = request.QUERY_PARAMS.get("project", None)
+        if (hasattr(view, "filter_fields") and "project" in view.filter_fields and
+                "project" in request.QUERY_PARAMS):
+            try:
+                project_id = int(request.QUERY_PARAMS["project"])
+            except:
+                logger.error("Filtering project diferent value than an integer: {}".format(request.QUERY_PARAMS["project"]))
+                raise exc.BadRequest("'project' must be an integer value.")

        qs = queryset

@ -182,7 +198,8 @@ class CanViewProjectObjFilterBackend(FilterBackend):
            memberships_qs = Membership.objects.filter(user=request.user)
            if project_id:
                memberships_qs = memberships_qs.filter(project_id=project_id)
-            memberships_qs = memberships_qs.filter(Q(role__permissions__contains=['view_project']) | Q(is_owner=True))
+            memberships_qs = memberships_qs.filter(Q(role__permissions__contains=['view_project']) |
+                                                   Q(is_owner=True))

            projects_list = [membership.project_id for membership in memberships_qs]

--- a/tests/integration/resources_permissions/test_issues_resources.py
+++ b/tests/integration/resources_permissions/test_issues_resources.py
@ -205,6 +205,25 @@ def test_issue_list(client, data):
    assert response.status_code == 200


+def test_issue_list_filter_by_project_ok(client, data):
+    url = "{}?project={}".format(reverse("issues-list"), data.public_project.pk)
+
+    client.login(data.project_owner)
+    response = client.get(url)
+
+    assert response.status_code == 200
+    assert len(response.data) == 1
+
+
+def test_issue_list_filter_by_project_error(client, data):
+    url = "{}?project={}".format(reverse("issues-list"), "-ERROR-")
+
+    client.login(data.project_owner)
+    response = client.get(url)
+
+    assert response.status_code == 400
+
+
 def test_issue_create(client, data):
    url = reverse('issues-list')