summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFrédéric Péters <fpeters@entrouvert.com>2019-09-24 07:59:14 (GMT)
committerFrédéric Péters <fpeters@entrouvert.com>2019-09-25 06:52:24 (GMT)
commit0378b9fed5167cba856bce7e2dd75f3e2385f9ba (patch)
treee3f7e176b1ef61b899cfc5237594d8c816fb186c
parentb7763d995f434c0bca009dcc1d7faefaa07420c4 (diff)
downloadcombo-0378b9fed5167cba856bce7e2dd75f3e2385f9ba.zip
combo-0378b9fed5167cba856bce7e2dd75f3e2385f9ba.tar.gz
combo-0378b9fed5167cba856bce7e2dd75f3e2385f9ba.tar.bz2
misc: limit api/menu-badges parameters to digits (#36387)v2.34
-rw-r--r--combo/public/views.py2
-rw-r--r--tests/test_notification.py9
2 files changed, 9 insertions, 2 deletions
diff --git a/combo/public/views.py b/combo/public/views.py
index 435dff6..e690754 100644
--- a/combo/public/views.py
+++ b/combo/public/views.py
@@ -524,7 +524,7 @@ def error404(request, *args, **kwargs):
def menu_badges(request):
context = {'request': request}
- page_ids = request.GET.getlist('page[]')
+ page_ids = [x for x in request.GET.getlist('page[]') if x.isdigit()]
cells = []
for klass in CellBase.get_cell_classes(lambda x: bool(x.get_badge)):
cells.extend(klass.objects.filter(page_id__in=page_ids))
diff --git a/tests/test_notification.py b/tests/test_notification.py
index 821876d..ebb4756 100644
--- a/tests/test_notification.py
+++ b/tests/test_notification.py
@@ -17,6 +17,8 @@ from combo.data.models import Page
from combo.apps.notifications.models import Notification, NotificationsCell
from combo.apps.lingo.models import Regie, ActiveItems, PaymentBackend
+from .test_manager import login as login_app
+
pytestmark = pytest.mark.django_db
client = Client()
@@ -83,10 +85,11 @@ def test_notification_api(john_doe, jane_doe):
assert notification.acked is True
-def test_notification_cell(john_doe, jane_doe):
+def test_notification_cell(app, john_doe, jane_doe):
page = Page(title='notif', slug='test_notification_cell', template_name='standard')
page.save()
cell = NotificationsCell(page=page, placeholder='content', order=0)
+ cell.save()
context = {'request': RequestFactory().get('/')}
context['synchronous'] = True # to get fresh content
@@ -141,6 +144,10 @@ def test_notification_cell(john_doe, jane_doe):
assert 'notiother' in content
assert cell.get_badge(context) == {'badge': '1'}
+ app = login_app(app, username='jane.doe', password='jane.doe')
+ resp = app.get('/api/menu-badges/?page[]=%s' % page.id)
+ assert resp.json == {'1': {'badge': '1'}}
+
def test_notification_ws(john_doe):