api: returns 400 on invalid fillslot's event_pk (#35451)

2019-08-19 15:34:03 +02:00 · 2019-08-19 15:34:03 +02:00 · 61e0c590b8
parent 2310528fc2
commit 61e0c590b8
2 changed files with 13 additions and 1 deletions
--- a/chrono/api/views.py
+++ b/chrono/api/views.py
@ -423,7 +423,13 @@ class Fillslots(APIView):
            meeting_type_id = slots[0].split(':')[0]
            datetimes = set()
            for slot in slots:
-                meeting_type_id_, datetime_str = slot.split(':')
+                try:
+                    meeting_type_id_, datetime_str = slot.split(':')
+                except ValueError:
+                    return Response({
+                        'err': 1,
+                        'reason': 'invalid slot: %s' % slot,
+                    }, status=status.HTTP_400_BAD_REQUEST)
                if meeting_type_id_ != meeting_type_id:
                    return Response({
                        'err': 1,
--- a/tests/test_api.py
+++ b/tests/test_api.py
@ -561,6 +561,12 @@ def test_booking_api_meeting(app, meetings_agenda, user):
            ).path == '/api/agenda/%s/fillslot/%s/' % (meetings_agenda.slug, event_id)

    app.authorization = ('Basic', ('john.doe', 'password'))
+
+    # verify malformed event_pk returns a 400
+    resp_booking = app.post('/api/agenda/%s/fillslot/None/' % agenda_id, status=400)
+    assert resp_booking.json['err'] == 1
+
+    # make a booking
    resp_booking = app.post('/api/agenda/%s/fillslot/%s/' % (agenda_id, event_id))
    assert Booking.objects.count() == 1
    assert resp_booking.json['datetime'] == localtime(Booking.objects.all()[0].event.start_datetime