Projet

Général

Profil

0001-api-check-limit-offset-parameters-are-valid-28773.patch

Frédéric Péters, 08 décembre 2018 20:45

Télécharger (4,56 ko)

Voir les différences: 

Subject: [PATCH] api: check limit/offset parameters are valid (#28773)


 tests/test_api.py            | 16 ++++++++++++++++
 wcs/api.py                   | 14 ++++++++++----
 wcs/backoffice/management.py | 10 ++++++++--
 3 files changed, 34 insertions(+), 6 deletions(-)
tests/test_api.py
1550 1550 
        resp_partial_ids.extend([x.get('id') for x in resp.json])
1551 1551 
    assert resp_all_ids == resp_partial_ids
1552 1552 

  		




  
  1553
  
    
    # check error handling

  		




  
  1554
  
    
    get_app(pub).get(sign_uri('/api/forms/test/list?filter=all&offset=plop', user=local_user), status=400)

  		




  
  1555
  
    
    get_app(pub).get(sign_uri('/api/forms/test/list?filter=all&limit=plop', user=local_user), status=400)

  		




  
  1556
  
    

  		




  1553
  1557
  
    
def test_api_anonymized_formdata(pub, local_user, admin_user):

  		




  1554
  1558
  
    
    Role.wipe()

  		




  1555
  1559
  
    
    role = Role(name='test')

  		




  ......




  1845
  1849
  
    
    resp = get_app(pub).get(sign_uri('/api/forms/?status=done', user=local_user))

  		




  1846
  1850
  
    
    assert len(resp.json['data']) == 20

  		




  1847
  1851
  
    

  		




  
  1852
  
    
    # check limit/offset

  		




  
  1853
  
    
    resp = get_app(pub).get(sign_uri('/api/forms/?status=done&limit=5', user=local_user))

  		




  
  1854
  
    
    assert len(resp.json['data']) == 5

  		




  
  1855
  
    
    resp = get_app(pub).get(sign_uri('/api/forms/?status=done&offset=5&limit=5', user=local_user))

  		




  
  1856
  
    
    assert len(resp.json['data']) == 5

  		




  
  1857
  
    
    resp = get_app(pub).get(sign_uri('/api/forms/?status=done&offset=18&limit=5', user=local_user))

  		




  
  1858
  
    
    assert len(resp.json['data']) == 2

  		




  
  1859
  
    

  		




  
  1860
  
    
    # check error handling

  		




  
  1861
  
    
    get_app(pub).get(sign_uri('/api/forms/?status=done&limit=plop', user=local_user), status=400)

  		




  
  1862
  
    
    get_app(pub).get(sign_uri('/api/forms/?status=done&offset=plop', user=local_user), status=400)

  		




  
  1863
  
    

  		




  1848
  1864
  
    
def test_api_global_listing_ignored_roles(pub, local_user):

  		




  1849
  1865
  
    
    test_api_global_listing(pub, local_user)

  		




  1850
  1866
  
    

  		












  

    
      wcs/api.py
    
  





  28
  28
  
    
from qommon import misc

  		




  29
  29
  
    
from qommon.evalutils import make_datetime

  		




  30
  30
  
    
from qommon.errors import (AccessForbiddenError, QueryError, TraversalError,

  		




  31
  
  
    
    UnknownNameIdAccessForbiddenError)

  		




  
  31
  
    
    UnknownNameIdAccessForbiddenError, RequestError)

  		




  32
  32
  
    
from qommon.form import ComputedExpressionWidget, ConditionWidget

  		




  33
  33
  
    

  		




  34
  34
  
    
from wcs.categories import Category

  		




  ......




  213
  213
  
    
            roles_criterias = criterias

  		




  214
  214
  
    
            criterias = management_directory.get_global_listing_criterias(ignore_user_roles=True)

  		




  215
  215
  
    

  		




  216
  
  
    
        limit = int(get_request().form.get('limit',

  		




  217
  
  
    
            get_publisher().get_site_option('default-page-size') or 20))

  		




  218
  
  
    
        offset = int(get_request().form.get('offset', 0))

  		




  
  216
  
    
        try:

  		




  
  217
  
    
            limit = int(get_request().form.get('limit',

  		




  
  218
  
    
                get_publisher().get_site_option('default-page-size') or 20))

  		




  
  219
  
    
        except ValueError:

  		




  
  220
  
    
            raise RequestError('invalid limit parameter')

  		




  
  221
  
    
        try:

  		




  
  222
  
    
            offset = int(get_request().form.get('offset', 0))

  		




  
  223
  
    
        except ValueError:

  		




  
  224
  
    
            raise RequestError('invalid offset parameter')

  		




  219
  225
  
    
        order_by = get_request().form.get('order_by',

  		




  220
  226
  
    
            get_publisher().get_site_option('default-sort-order') or '-receipt_time')

  		




  221
  227
  
    

  		












  

    
      wcs/backoffice/management.py
    
  





  1610
  1610
  
    
        query = get_request().form.get('q') if not anonymise else None

  		




  1611
  1611
  
    
        offset = None

  		




  1612
  1612
  
    
        if 'offset' in get_request().form:

  		




  1613
  
  
    
            offset = int(get_request().form['offset'])

  		




  
  1613
  
    
            try:

  		




  
  1614
  
    
                offset = int(get_request().form['offset'])

  		




  
  1615
  
    
            except ValueError:

  		




  
  1616
  
    
                raise errors.RequestError('invalid offset parameter')

  		




  1614
  1617
  
    
        limit = None

  		




  1615
  1618
  
    
        if 'limit' in get_request().form:

  		




  1616
  
  
    
            limit = int(get_request().form['limit'])

  		




  
  1619
  
    
            try:

  		




  
  1620
  
    
                limit = int(get_request().form['limit'])

  		




  
  1621
  
    
            except ValueError:

  		




  
  1622
  
    
                raise errors.RequestError('invalid limit parameter')

  		




  1617
  1623
  
    
        items, total_count = FormDefUI(self.formdef).get_listing_items(

  		




  1618
  1624
  
    
            selected_filter, user=user, query=query, criterias=criterias,

  		




  1619
  1625
  
    
            order_by=order_by, anonymise=anonymise, offset=offset, limit=limit)

  		




  1620
  
  
    
-